- Add devicekit policy
This commit is contained in:
parent
4e42f3a511
commit
70d5ccf098
@ -11412,6 +11412,216 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
corenet_udp_sendrecv_generic_if(dcc_client_t)
|
corenet_udp_sendrecv_generic_if(dcc_client_t)
|
||||||
corenet_udp_sendrecv_generic_node(dcc_client_t)
|
corenet_udp_sendrecv_generic_node(dcc_client_t)
|
||||||
corenet_udp_sendrecv_all_ports(dcc_client_t)
|
corenet_udp_sendrecv_all_ports(dcc_client_t)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.3/policy/modules/services/devicekit.fc
|
||||||
|
--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.fc 2009-01-19 17:04:16.000000000 -0500
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+
|
||||||
|
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
|
||||||
|
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
|
||||||
|
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
|
||||||
|
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500
|
||||||
|
@@ -0,0 +1,139 @@
|
||||||
|
+
|
||||||
|
+## <summary>policy for devicekit</summary>
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute a domain transition to run devicekit.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_t;
|
||||||
|
+ type devicekit_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ domtrans_pattern($1,devicekit_exec_t,devicekit_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Read devicekit PID files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_read_pid_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_search_pids($1)
|
||||||
|
+ allow $1 devicekit_var_run_t:file read_file_perms;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Manage devicekit var_run files.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_manage_var_run',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_var_run_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
|
||||||
|
+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
|
||||||
|
+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send and receive messages from
|
||||||
|
+## devicekit over dbus.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_dbus_chat',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_t;
|
||||||
|
+ class dbus send_msg;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 devicekit_t:dbus send_msg;
|
||||||
|
+ allow devicekit_t $1:dbus send_msg;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Send and receive messages from
|
||||||
|
+## devicekit power over dbus.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_power_dbus_chat',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_t;
|
||||||
|
+ class dbus send_msg;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 devicekit_power_t:dbus send_msg;
|
||||||
|
+ allow devicekit_power_t $1:dbus send_msg;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## All of the rules required to administrate
|
||||||
|
+## an devicekit environment
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="role">
|
||||||
|
+## <summary>
|
||||||
|
+## The role to be allowed to manage the devicekit domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <param name="terminal">
|
||||||
|
+## <summary>
|
||||||
|
+## The type of the user terminal.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+## <rolecap/>
|
||||||
|
+#
|
||||||
|
+interface(`devicekit_admin',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type devicekit_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ allow $1 devicekit_t:process { ptrace signal_perms getattr };
|
||||||
|
+ read_files_pattern($1, devicekit_t, devicekit_t)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ devicekit_manage_var_run($1)
|
||||||
|
+
|
||||||
|
+')
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500
|
||||||
|
@@ -0,0 +1,55 @@
|
||||||
|
+policy_module(devicekit,1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type devicekit_t;
|
||||||
|
+type devicekit_exec_t;
|
||||||
|
+dbus_system_domain(devicekit_t, devicekit_exec_t)
|
||||||
|
+
|
||||||
|
+permissive devicekit_t;
|
||||||
|
+
|
||||||
|
+type devicekit_power_t;
|
||||||
|
+type devicekit_power_exec_t;
|
||||||
|
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
|
||||||
|
+
|
||||||
|
+permissive devicekit_power_t;
|
||||||
|
+
|
||||||
|
+type devicekit_var_run_t;
|
||||||
|
+files_pid_file(devicekit_var_run_t)
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# DeviceKit local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||||
|
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
|
||||||
|
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
|
||||||
|
+
|
||||||
|
+fs_list_inotifyfs(devicekit_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ dbus_system_bus_client(devicekit_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# DeviceKit-Power local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+dev_rw_netcontrol(devicekit_power_t)
|
||||||
|
+files_read_etc_files(devicekit_power_t)
|
||||||
|
+fs_list_inotifyfs(devicekit_power_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ polkit_read_reload(devicekit_power_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ dbus_system_bus_client(devicekit_power_t)
|
||||||
|
+ allow devicekit_power_t devicekit_t:dbus send_msg;
|
||||||
|
+ allow devicekit_t devicekit_power_t:dbus send_msg;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
|
||||||
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500
|
||||||
@ -21508,7 +21718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## display.
|
## display.
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500
|
||||||
@@ -34,6 +34,13 @@
|
@@ -34,6 +34,13 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
@ -21838,7 +22048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -515,12 +572,35 @@
|
@@ -515,12 +572,41 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21852,14 +22062,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ dbus_system_bus_client(xdm_t)
|
+ dbus_system_bus_client(xdm_t)
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
|
+ devicekit_power_dbus_chat(xdm_t)
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
+ hal_dbus_chat(xdm_t)
|
+ hal_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ networkmanager_dbus_chat(xdm_t)
|
+ networkmanager_dbus_chat(xdm_t)
|
||||||
+ ')
|
+ ')
|
||||||
|
+
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
# Talk to the console mouse server.
|
# Talk to the console mouse server.
|
||||||
gpm_stream_connect(xdm_t)
|
gpm_stream_connect(xdm_t)
|
||||||
@ -21874,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(xdm_t)
|
hostname_exec(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -542,6 +622,19 @@
|
@@ -542,6 +628,19 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21894,7 +22110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
seutil_sigchld_newrole(xdm_t)
|
seutil_sigchld_newrole(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -550,8 +643,8 @@
|
@@ -550,8 +649,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21904,7 +22120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
ifndef(`distro_redhat',`
|
ifndef(`distro_redhat',`
|
||||||
allow xdm_t self:process { execheap execmem };
|
allow xdm_t self:process { execheap execmem };
|
||||||
@@ -571,6 +664,10 @@
|
@@ -571,6 +670,10 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -21915,7 +22131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
xfs_stream_connect(xdm_t)
|
xfs_stream_connect(xdm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -635,6 +732,15 @@
|
@@ -635,6 +738,15 @@
|
||||||
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
|
||||||
files_search_var_lib(xserver_t)
|
files_search_var_lib(xserver_t)
|
||||||
|
|
||||||
@ -21931,7 +22147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Create files in /var/log with the xserver_log_t type.
|
# Create files in /var/log with the xserver_log_t type.
|
||||||
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
|
||||||
logging_log_filetrans(xserver_t, xserver_log_t,file)
|
logging_log_filetrans(xserver_t, xserver_log_t,file)
|
||||||
@@ -682,6 +788,7 @@
|
@@ -682,6 +794,7 @@
|
||||||
dev_rw_input_dev(xserver_t)
|
dev_rw_input_dev(xserver_t)
|
||||||
dev_rwx_zero(xserver_t)
|
dev_rwx_zero(xserver_t)
|
||||||
|
|
||||||
@ -21939,7 +22155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
domain_mmap_low(xserver_t)
|
domain_mmap_low(xserver_t)
|
||||||
|
|
||||||
files_read_etc_files(xserver_t)
|
files_read_etc_files(xserver_t)
|
||||||
@@ -697,6 +804,7 @@
|
@@ -697,6 +810,7 @@
|
||||||
fs_search_nfs(xserver_t)
|
fs_search_nfs(xserver_t)
|
||||||
fs_search_auto_mountpoints(xserver_t)
|
fs_search_auto_mountpoints(xserver_t)
|
||||||
fs_search_ramfs(xserver_t)
|
fs_search_ramfs(xserver_t)
|
||||||
@ -21947,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
mls_xwin_read_to_clearance(xserver_t)
|
mls_xwin_read_to_clearance(xserver_t)
|
||||||
|
|
||||||
@@ -806,7 +914,7 @@
|
@@ -806,7 +920,7 @@
|
||||||
allow xserver_t xdm_var_lib_t:file { getattr read };
|
allow xserver_t xdm_var_lib_t:file { getattr read };
|
||||||
dontaudit xserver_t xdm_var_lib_t:dir search;
|
dontaudit xserver_t xdm_var_lib_t:dir search;
|
||||||
|
|
||||||
@ -21956,7 +22172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Label pid and temporary files with derived types.
|
# Label pid and temporary files with derived types.
|
||||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||||
@@ -830,6 +938,10 @@
|
@@ -830,6 +944,10 @@
|
||||||
|
|
||||||
xserver_use_user_fonts(xserver_t)
|
xserver_use_user_fonts(xserver_t)
|
||||||
|
|
||||||
@ -21967,7 +22183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_dirs(xserver_t)
|
fs_manage_nfs_dirs(xserver_t)
|
||||||
fs_manage_nfs_files(xserver_t)
|
fs_manage_nfs_files(xserver_t)
|
||||||
@@ -844,11 +956,14 @@
|
@@ -844,11 +962,14 @@
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_bus_client(xserver_t)
|
dbus_system_bus_client(xserver_t)
|
||||||
@ -21983,7 +22199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -856,6 +971,11 @@
|
@@ -856,6 +977,11 @@
|
||||||
rhgb_rw_tmpfs_files(xserver_t)
|
rhgb_rw_tmpfs_files(xserver_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -21995,7 +22211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Rules common to all X window domains
|
# Rules common to all X window domains
|
||||||
@@ -972,6 +1092,37 @@
|
@@ -972,6 +1098,37 @@
|
||||||
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
|
||||||
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
|
||||||
|
|
||||||
@ -22033,7 +22249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
tunable_policy(`allow_polyinstantiation',`
|
tunable_policy(`allow_polyinstantiation',`
|
||||||
# xdm needs access for linking .X11-unix to poly /tmp
|
# xdm needs access for linking .X11-unix to poly /tmp
|
||||||
@@ -986,3 +1137,13 @@
|
@@ -986,3 +1143,13 @@
|
||||||
#
|
#
|
||||||
allow xdm_t user_home_type:file unlink;
|
allow xdm_t user_home_type:file unlink;
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
@ -26194,7 +26410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
|
||||||
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 13:10:02.000000000 -0500
|
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500
|
||||||
@@ -30,8 +30,9 @@
|
@@ -30,8 +30,9 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26594,7 +26810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -512,189 +525,194 @@
|
@@ -512,189 +525,198 @@
|
||||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
|
|
||||||
@ -26763,54 +26979,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- hal_dbus_chat($1_t)
|
- hal_dbus_chat($1_t)
|
||||||
+ evolution_dbus_chat($1_usertype)
|
+ devkit_power_dbus_chat($1_usertype)
|
||||||
+ evolution_alarm_dbus_chat($1_usertype)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- networkmanager_dbus_chat($1_t)
|
- networkmanager_dbus_chat($1_t)
|
||||||
- ')
|
- ')
|
||||||
+ hal_dbus_chat($1_usertype)
|
+ evolution_dbus_chat($1_usertype)
|
||||||
|
+ evolution_alarm_dbus_chat($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- inetd_use_fds($1_t)
|
- inetd_use_fds($1_t)
|
||||||
- inetd_rw_tcp_sockets($1_t)
|
- inetd_rw_tcp_sockets($1_t)
|
||||||
+ networkmanager_dbus_chat($1_usertype)
|
+ hal_dbus_chat($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- inn_read_config($1_t)
|
- inn_read_config($1_t)
|
||||||
- inn_read_news_lib($1_t)
|
- inn_read_news_lib($1_t)
|
||||||
- inn_read_news_spool($1_t)
|
- inn_read_news_spool($1_t)
|
||||||
+ vpnc_dbus_chat($1_usertype)
|
+ networkmanager_dbus_chat($1_usertype)
|
||||||
+ ')
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- locate_read_lib_files($1_t)
|
- locate_read_lib_files($1_t)
|
||||||
+ inetd_use_fds($1_usertype)
|
+ vpnc_dbus_chat($1_usertype)
|
||||||
+ inetd_rw_tcp_sockets($1_usertype)
|
+ ')
|
||||||
')
|
')
|
||||||
|
|
||||||
- # for running depmod as part of the kernel packaging process
|
- # for running depmod as part of the kernel packaging process
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- modutils_read_module_config($1_t)
|
- modutils_read_module_config($1_t)
|
||||||
|
+ inetd_use_fds($1_usertype)
|
||||||
|
+ inetd_rw_tcp_sockets($1_usertype)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
- mta_rw_spool($1_t)
|
||||||
+ inn_read_config($1_usertype)
|
+ inn_read_config($1_usertype)
|
||||||
+ inn_read_news_lib($1_usertype)
|
+ inn_read_news_lib($1_usertype)
|
||||||
+ inn_read_news_spool($1_usertype)
|
+ inn_read_news_spool($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
- mta_rw_spool($1_t)
|
|
||||||
+ locate_read_lib_files($1_usertype)
|
|
||||||
')
|
|
||||||
|
|
||||||
+ # for running depmod as part of the kernel packaging process
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- tunable_policy(`allow_user_mysql_connect',`
|
- tunable_policy(`allow_user_mysql_connect',`
|
||||||
- mysql_stream_connect($1_t)
|
- mysql_stream_connect($1_t)
|
||||||
- ')
|
+ locate_read_lib_files($1_usertype)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+ # for running depmod as part of the kernel packaging process
|
||||||
|
+ optional_policy(`
|
||||||
+ modutils_read_module_config($1_usertype)
|
+ modutils_read_module_config($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26832,16 +27051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
- postgresql_stream_connect($1_t)
|
- postgresql_stream_connect($1_t)
|
||||||
- postgresql_tcp_connect($1_t)
|
- postgresql_tcp_connect($1_t)
|
||||||
+ postgresql_stream_connect($1_usertype)
|
+ postgresql_stream_connect($1_usertype)
|
||||||
|
+ ')
|
||||||
')
|
')
|
||||||
|
+
|
||||||
|
+ optional_policy(`
|
||||||
|
+ # to allow monitoring of pcmcia status
|
||||||
|
+ pcmcia_read_pid($1_usertype)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
- resmgr_stream_connect($1_t)
|
- resmgr_stream_connect($1_t)
|
||||||
+ # to allow monitoring of pcmcia status
|
|
||||||
+ pcmcia_read_pid($1_usertype)
|
|
||||||
+ ')
|
|
||||||
+
|
|
||||||
+ optional_policy(`
|
|
||||||
+ pcscd_read_pub_files($1_usertype)
|
+ pcscd_read_pub_files($1_usertype)
|
||||||
+ pcscd_stream_connect($1_usertype)
|
+ pcscd_stream_connect($1_usertype)
|
||||||
')
|
')
|
||||||
@ -26871,7 +27090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -722,15 +740,29 @@
|
@@ -722,15 +744,29 @@
|
||||||
|
|
||||||
userdom_base_user_template($1)
|
userdom_base_user_template($1)
|
||||||
|
|
||||||
@ -26907,7 +27126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -746,70 +778,72 @@
|
@@ -746,70 +782,72 @@
|
||||||
|
|
||||||
allow $1_t self:context contains;
|
allow $1_t self:context contains;
|
||||||
|
|
||||||
@ -27013,7 +27232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -846,6 +880,28 @@
|
@@ -846,6 +884,28 @@
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -27042,7 +27261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
loadkeys_run($1_t,$1_r)
|
loadkeys_run($1_t,$1_r)
|
||||||
')
|
')
|
||||||
@@ -876,7 +932,7 @@
|
@@ -876,7 +936,7 @@
|
||||||
|
|
||||||
userdom_restricted_user_template($1)
|
userdom_restricted_user_template($1)
|
||||||
|
|
||||||
@ -27051,17 +27270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -884,14 +940,18 @@
|
@@ -884,14 +944,18 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
auth_role($1_r, $1_t)
|
auth_role($1_r, $1_t)
|
||||||
- auth_search_pam_console_data($1_t)
|
- auth_search_pam_console_data($1_t)
|
||||||
+ auth_search_pam_console_data($1_usertype)
|
+ auth_search_pam_console_data($1_usertype)
|
||||||
+
|
|
||||||
+ xserver_role($1_r, $1_t)
|
|
||||||
|
|
||||||
- dev_read_sound($1_t)
|
- dev_read_sound($1_t)
|
||||||
- dev_write_sound($1_t)
|
- dev_write_sound($1_t)
|
||||||
|
+ xserver_role($1_r, $1_t)
|
||||||
|
+
|
||||||
+ dev_read_sound($1_usertype)
|
+ dev_read_sound($1_usertype)
|
||||||
+ dev_write_sound($1_usertype)
|
+ dev_write_sound($1_usertype)
|
||||||
# gnome keyring wants to read this.
|
# gnome keyring wants to read this.
|
||||||
@ -27075,7 +27294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
logging_dontaudit_send_audit_msgs($1_t)
|
logging_dontaudit_send_audit_msgs($1_t)
|
||||||
|
|
||||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||||
@@ -899,28 +959,24 @@
|
@@ -899,28 +963,24 @@
|
||||||
selinux_get_enforce_mode($1_t)
|
selinux_get_enforce_mode($1_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -27110,7 +27329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -931,8 +987,7 @@
|
@@ -931,8 +991,7 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@ -27120,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </p>
|
## </p>
|
||||||
## <p>
|
## <p>
|
||||||
## This template creates a user domain, types, and
|
## This template creates a user domain, types, and
|
||||||
@@ -954,8 +1009,8 @@
|
@@ -954,8 +1013,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -27130,7 +27349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
userdom_common_user_template($1)
|
userdom_common_user_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -964,11 +1019,10 @@
|
@@ -964,11 +1023,10 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||||
@ -27143,7 +27362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# cjp: why?
|
# cjp: why?
|
||||||
files_read_kernel_symbol_table($1_t)
|
files_read_kernel_symbol_table($1_t)
|
||||||
|
|
||||||
@@ -986,37 +1040,47 @@
|
@@ -986,37 +1044,47 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27194,17 +27413,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ mount_run($1_t, $1_r)
|
+ mount_run($1_t, $1_r)
|
||||||
+ ')
|
')
|
||||||
+
|
+
|
||||||
+ # Run pppd in pppd_t by default for user
|
+ # Run pppd in pppd_t by default for user
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ ppp_run_cond($1_t, $1_r)
|
+ ppp_run_cond($1_t, $1_r)
|
||||||
')
|
+ ')
|
||||||
+
|
+
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1050,7 +1114,7 @@
|
@@ -1050,7 +1118,7 @@
|
||||||
#
|
#
|
||||||
template(`userdom_admin_user_template',`
|
template(`userdom_admin_user_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -27213,7 +27432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1059,8 +1123,7 @@
|
@@ -1059,8 +1127,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# Inherit rules for ordinary users.
|
# Inherit rules for ordinary users.
|
||||||
@ -27223,7 +27442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
domain_obj_id_change_exemption($1_t)
|
domain_obj_id_change_exemption($1_t)
|
||||||
role system_r types $1_t;
|
role system_r types $1_t;
|
||||||
@@ -1083,7 +1146,8 @@
|
@@ -1083,7 +1150,8 @@
|
||||||
# Skip authentication when pam_rootok is specified.
|
# Skip authentication when pam_rootok is specified.
|
||||||
allow $1_t self:passwd rootok;
|
allow $1_t self:passwd rootok;
|
||||||
|
|
||||||
@ -27233,7 +27452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
@@ -1106,8 +1170,6 @@
|
@@ -1106,8 +1174,6 @@
|
||||||
|
|
||||||
dev_getattr_generic_blk_files($1_t)
|
dev_getattr_generic_blk_files($1_t)
|
||||||
dev_getattr_generic_chr_files($1_t)
|
dev_getattr_generic_chr_files($1_t)
|
||||||
@ -27242,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
# Allow MAKEDEV to work
|
# Allow MAKEDEV to work
|
||||||
dev_create_all_blk_files($1_t)
|
dev_create_all_blk_files($1_t)
|
||||||
dev_create_all_chr_files($1_t)
|
dev_create_all_chr_files($1_t)
|
||||||
@@ -1162,20 +1224,6 @@
|
@@ -1162,20 +1228,6 @@
|
||||||
# But presently necessary for installing the file_contexts file.
|
# But presently necessary for installing the file_contexts file.
|
||||||
seutil_manage_bin_policy($1_t)
|
seutil_manage_bin_policy($1_t)
|
||||||
|
|
||||||
@ -27263,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
postgresql_unconfined($1_t)
|
postgresql_unconfined($1_t)
|
||||||
')
|
')
|
||||||
@@ -1221,6 +1269,7 @@
|
@@ -1221,6 +1273,7 @@
|
||||||
dev_relabel_all_dev_nodes($1)
|
dev_relabel_all_dev_nodes($1)
|
||||||
|
|
||||||
files_create_boot_flag($1)
|
files_create_boot_flag($1)
|
||||||
@ -27271,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
|
|
||||||
# Necessary for managing /boot/efi
|
# Necessary for managing /boot/efi
|
||||||
fs_manage_dos_files($1)
|
fs_manage_dos_files($1)
|
||||||
@@ -1286,11 +1335,15 @@
|
@@ -1286,11 +1339,15 @@
|
||||||
interface(`userdom_user_home_content',`
|
interface(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_t;
|
type user_home_t;
|
||||||
@ -27287,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1387,7 +1440,7 @@
|
@@ -1387,7 +1444,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27296,7 +27515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -1420,6 +1473,14 @@
|
@@ -1420,6 +1477,14 @@
|
||||||
|
|
||||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@ -27311,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1435,9 +1496,11 @@
|
@@ -1435,9 +1500,11 @@
|
||||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type user_home_dir_t;
|
type user_home_dir_t;
|
||||||
@ -27323,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1494,6 +1557,25 @@
|
@@ -1494,6 +1561,25 @@
|
||||||
allow $1 user_home_dir_t:dir relabelto;
|
allow $1 user_home_dir_t:dir relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27349,7 +27568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create directories in the home dir root with
|
## Create directories in the home dir root with
|
||||||
@@ -1547,9 +1629,9 @@
|
@@ -1547,9 +1633,9 @@
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27361,7 +27580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1568,6 +1650,8 @@
|
@@ -1568,6 +1654,8 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
@ -27370,7 +27589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1643,6 +1727,7 @@
|
@@ -1643,6 +1731,7 @@
|
||||||
type user_home_dir_t, user_home_t;
|
type user_home_dir_t, user_home_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -27378,7 +27597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
')
|
')
|
||||||
@@ -1741,6 +1826,62 @@
|
@@ -1741,6 +1830,62 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27441,7 +27660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Execute user home files.
|
## Execute user home files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -1757,14 +1898,6 @@
|
@@ -1757,14 +1902,6 @@
|
||||||
|
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||||
@ -27456,7 +27675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1787,6 +1920,46 @@
|
@@ -1787,6 +1924,46 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27503,7 +27722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Create, read, write, and delete files
|
## Create, read, write, and delete files
|
||||||
## in a user home subdirectory.
|
## in a user home subdirectory.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -2819,6 +2992,24 @@
|
@@ -2819,6 +2996,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27528,7 +27747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Do not audit attempts to use user ttys.
|
## Do not audit attempts to use user ttys.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2851,6 +3042,7 @@
|
@@ -2851,6 +3046,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
read_files_pattern($1,userdomain,userdomain)
|
read_files_pattern($1,userdomain,userdomain)
|
||||||
@ -27536,7 +27755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -2965,6 +3157,24 @@
|
@@ -2965,6 +3161,24 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -27561,7 +27780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -2981,3 +3191,264 @@
|
@@ -2981,3 +3195,264 @@
|
||||||
|
|
||||||
allow $1 userdomain:dbus send_msg;
|
allow $1 userdomain:dbus send_msg;
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user