- Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.

- Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets - Allow confined users to read xdm_etc_t files - Allow xdm_t to transition to xauth_t for lxdm program
2010-09-27 10:31:36 -04:00 · 2010-09-27 10:31:36 -04:00 · 7c487e9739
parent ab8faf7dcf
commit 7c487e9739
2 changed files with 175 additions and 98 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -2144,10 +2144,10 @@ index 0000000..7fe26f3
 +')
 diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
 new file mode 100644
-index 0000000..910a3f4
+index 0000000..0bbd523
 --- /dev/null
 +++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,66 @@
 +policy_module(firewallgui,1.0.0)
 +
 +########################################
@ -2174,36 +2174,37 @@ index 0000000..910a3f4
 +manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
 +files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
 +
 +files_manage_system_conf_files(firewallgui_t)
 +files_etc_filetrans_system_conf(firewallgui_t)
 +
 +corecmd_exec_shell(firewallgui_t)
 +corecmd_exec_bin(firewallgui_t)
 +consoletype_exec(firewallgui_t)
 +
 +kernel_read_system_state(firewallgui_t)
 +kernel_read_network_state(firewallgui_t)
 +kernel_rw_net_sysctls(firewallgui_t)
 +kernel_rw_kernel_sysctl(firewallgui_t)
 +kernel_rw_vm_sysctls(firewallgui_t)
 +
 +corecmd_exec_shell(firewallgui_t)
 +corecmd_exec_bin(firewallgui_t)
 +consoletype_exec(firewallgui_t)
 +
 +dev_read_urand(firewallgui_t)
 +dev_read_sysfs(firewallgui_t)
 +
 +files_manage_system_conf_files(firewallgui_t)
 +files_etc_filetrans_system_conf(firewallgui_t)
 +files_read_etc_files(firewallgui_t)
 +files_read_usr_files(firewallgui_t)
 +files_search_kernel_modules(firewallgui_t)
 +files_list_kernel_modules(firewallgui_t)
 +
 +iptables_domtrans(firewallgui_t)
 +iptables_initrc_domtrans(firewallgui_t)
 +
 +modutils_getattr_module_deps(firewallgui_t)
 +
 +dev_read_urand(firewallgui_t)
 +dev_read_sysfs(firewallgui_t)
 +
 +nscd_dontaudit_search_pid(firewallgui_t)
 +nscd_socket_use(firewallgui_t)
 +
 +miscfiles_read_localization(firewallgui_t)
 +
-+iptables_domtrans(firewallgui_t)
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
-+iptables_initrc_domtrans(firewallgui_t)
+
 +nscd_dontaudit_search_pid(firewallgui_t)
 +nscd_socket_use(firewallgui_t)
 +
 +optional_policy(`
 +	gnome_read_gconf_home_files(firewallgui_t)
@ -3700,7 +3701,7 @@ index 9a6d67d..47aa143 100644
 ##	mozilla over dbus.
 ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..7243acc 100644
+index cbf4bec..001dc99 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@ -3773,7 +3774,7 @@ index cbf4bec..7243acc 100644
 	pulseaudio_exec(mozilla_t)
 	pulseaudio_stream_connect(mozilla_t)
 	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,91 @@ optional_policy(`
+@@ -266,3 +291,105 @@ optional_policy(`
 optional_policy(`
 	thunderbird_domtrans(mozilla_t)
 ')
@ -3783,14 +3784,17 @@ index cbf4bec..7243acc 100644
 +# mozilla_plugin local policy
 +#
 +allow mozilla_plugin_t self:process { setsched signal_perms execmem };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mozilla_plugin_t self:tcp_socket create_socket_perms;
 +allow mozilla_plugin_t self:udp_socket create_socket_perms;
 +
 +allow mozilla_plugin_t self:sem create_sem_perms;
 +allow mozilla_plugin_t self:shm create_shm_perms;
 +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
 +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +
 +read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +can_exec(mozilla_plugin_t, mozilla_home_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +
 +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@ -3816,6 +3820,7 @@ index cbf4bec..7243acc 100644
 +dev_read_sysfs(mozilla_plugin_t)
 +dev_read_sound(mozilla_plugin_t)
 +dev_write_sound(mozilla_plugin_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_t)
 +
 +domain_use_interactive_fds(mozilla_plugin_t)
 +domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@ -3832,14 +3837,23 @@ index cbf4bec..7243acc 100644
 +term_getattr_all_ptys(mozilla_plugin_t)
 +
 +userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 +userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 +userdom_stream_connect(mozilla_plugin_t)
 +userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
 +
 +userdom_list_user_tmp(mozilla_plugin_t)
 +userdom_read_user_tmp_files(mozilla_plugin_t)
 +userdom_read_user_tmp_symlinks(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
 +')
 +
@ -3853,6 +3867,7 @@ index cbf4bec..7243acc 100644
 +	nsplugin_rw_exec(mozilla_plugin_t)
 +	nsplugin_manage_home_dirs(mozilla_plugin_t)
 +	nsplugin_manage_home_files(mozilla_plugin_t)
 +	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
 +	nsplugin_signal(mozilla_plugin_t)
 +')
 +
@ -3967,10 +3982,10 @@ index 0000000..63abc5c
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
 new file mode 100644
-index 0000000..9439746
+index 0000000..4dbb161
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,411 @@
+@@ -0,0 +1,436 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -4382,6 +4397,31 @@ index 0000000..9439746
 +
 +	allow $1 nsplugin_t:process signal;
 +')
 +
 +########################################
 +## <summary>
 +##	Create objects in a user home directory
 +##	with an automatic type transition to
 +##	the nsplugin home file type.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="object_class">
 +##	<summary>
 +##	The class of the object to be created.
 +##	</summary>
 +## </param>
 +#
 +interface(`nsplugin_user_home_dir_filetrans',`
 +	gen_require(`
 +		type nsplugin_home_t;
 +	')
 +
 +	userdom_user_home_content_filetrans($1, nsplugin_home_t,  $2)
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
 index 0000000..7bc0dcf
@ -6261,10 +6301,10 @@ index 0000000..3d12484
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..aa34be4
+index 0000000..c4fe796
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,318 @@
+@@ -0,0 +1,320 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@ -6323,8 +6363,10 @@ index 0000000..aa34be4
 +can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
 +
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
 +corenet_tcp_connect_http_port(telepathy_msn_t)
 +corenet_tcp_connect_mmcc_port(telepathy_msn_t)
 +corenet_tcp_connect_msnp_port(telepathy_msn_t)
 +corenet_tcp_connect_sametime_port(telepathy_msn_t)
 +
@ -9628,10 +9670,17 @@ index 1875064..e9c9277 100644
 +	sudo_role_template(dbadm, dbadm_r, dbadm_t)
 +')
 diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
-index 531c616..321e5a7 100644
+index 531c616..f332441 100644
 --- a/policy/modules/roles/guest.te
 +++ b/policy/modules/roles/guest.te
-@@ -14,4 +14,8 @@ userdom_restricted_user_template(guest)
+@@ -9,9 +9,15 @@ role guest_r;
 userdom_restricted_user_template(guest)
 +kernel_read_system_state(guest_t)
 +
 ########################################
 #
 # Local policy
 #
@ -15545,7 +15594,7 @@ index 1f11572..01b02f3 100644
 	')
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..f9af97c 100644
+index 8c36027..532fa91 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
@ -15561,7 +15610,16 @@ index 8c36027..f9af97c 100644
 ## </desc>
 gen_tunable(clamd_use_jit, false)
-@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
 allow clamd_t self:capability { kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
 +allow clamd_t self:process signal;
 +
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow clamd_t self:unix_dgram_socket create_socket_perms;
@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
 files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
 # var/lib files for clamd
@ -15569,7 +15627,7 @@ index 8c36027..f9af97c 100644
 manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
 manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-@@ -89,9 +90,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
 logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
 # pid file
@ -15581,7 +15639,7 @@ index 8c36027..f9af97c 100644
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)
-@@ -147,8 +149,10 @@ optional_policy(`
+@@ -147,8 +151,10 @@ optional_policy(`
 tunable_policy(`clamd_use_jit',`
 	allow clamd_t self:process execmem;
@ -15593,7 +15651,7 @@ index 8c36027..f9af97c 100644
 ')
 ########################################
-@@ -178,10 +182,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +184,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
 # log files (own logfiles only)
 manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@ -15612,7 +15670,7 @@ index 8c36027..f9af97c 100644
 corenet_all_recvfrom_unlabeled(freshclam_t)
 corenet_all_recvfrom_netlabel(freshclam_t)
 corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +201,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
 corenet_tcp_sendrecv_all_ports(freshclam_t)
 corenet_tcp_sendrecv_clamd_port(freshclam_t)
 corenet_tcp_connect_http_port(freshclam_t)
@ -15620,7 +15678,7 @@ index 8c36027..f9af97c 100644
 corenet_sendrecv_http_client_packets(freshclam_t)
 dev_read_rand(freshclam_t)
-@@ -207,16 +218,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +220,18 @@ miscfiles_read_localization(freshclam_t)
 clamav_stream_connect(freshclam_t)
@ -15643,7 +15701,7 @@ index 8c36027..f9af97c 100644
 ########################################
 #
 # clamscam local policy
-@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
 corenet_tcp_connect_clamd_port(clamscan_t)
 kernel_read_kernel_sysctls(clamscan_t)
@ -34842,7 +34900,7 @@ index 6f1e3c7..6a160b2 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..ef2a773 100644
+index da2601a..f963642 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -34924,14 +34982,16 @@ index da2601a..ef2a773 100644
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
 	xserver_stream_connect_xdm($2)
-@@ -107,11 +115,23 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +114,25 @@ interface(`xserver_restricted_role',`
 	xserver_create_xdm_tmp_sockets($2)
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
- 
+	xserver_read_xdm_etc_files($2)
 +
 +	ifdef(`hide_broken_symptoms',`
 +		dontaudit iceauth_t $2:socket_class_set { read write };
 +	')
-+
+ 
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
@ -34948,7 +35008,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -143,13 +163,15 @@ interface(`xserver_role',`
+@@ -143,13 +164,15 @@ interface(`xserver_role',`
 	allow $2 xserver_tmpfs_t:file rw_file_perms;
 	allow $2 iceauth_home_t:file manage_file_perms;
@ -34966,7 +35026,7 @@ index da2601a..ef2a773 100644
 	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +184,6 @@ interface(`xserver_role',`
+@@ -162,7 +185,6 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@ -34974,7 +35034,7 @@ index da2601a..ef2a773 100644
 ')
 #######################################
-@@ -197,7 +218,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +219,7 @@ interface(`xserver_ro_session',`
 	allow $1 xserver_t:process signal;
 	# Read /tmp/.X0-lock
@ -34983,7 +35043,7 @@ index da2601a..ef2a773 100644
 	# Client read xserver shm
 	allow $1 xserver_t:fd use;
-@@ -227,7 +248,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +249,7 @@ interface(`xserver_rw_session',`
 		type xserver_t, xserver_tmpfs_t;
 	')
@ -34992,7 +35052,7 @@ index da2601a..ef2a773 100644
 	allow $1 xserver_t:shm rw_shm_perms;
 	allow $1 xserver_tmpfs_t:file rw_file_perms;
 ')
-@@ -255,7 +276,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',`
 	allow $1 self:x_gc { create setattr };
@ -35001,7 +35061,7 @@ index da2601a..ef2a773 100644
 	allow $1 xserver_t:unix_stream_socket connectto;
 	allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +312,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +313,13 @@ interface(`xserver_user_client',`
 	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
 	# Read .Xauthority file
@ -35019,7 +35079,7 @@ index da2601a..ef2a773 100644
 	allow $1 xdm_tmp_t:sock_file { read write };
 	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +363,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +364,23 @@ interface(`xserver_user_client',`
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
@ -35046,7 +35106,7 @@ index da2601a..ef2a773 100644
 	')
 	##############################
-@@ -386,6 +411,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',`
 	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
 	# dont audit send failures
 	dontaudit $2 input_xevent_type:x_event send;
@ -35062,7 +35122,7 @@ index da2601a..ef2a773 100644
 ')
 #######################################
-@@ -444,8 +478,8 @@ template(`xserver_object_types_template',`
+@@ -444,8 +479,8 @@ template(`xserver_object_types_template',`
 #
 template(`xserver_user_x_domain_template',`
 	gen_require(`
@ -35073,7 +35133,7 @@ index da2601a..ef2a773 100644
 	')
 	allow $2 self:shm create_shm_perms;
-@@ -458,9 +492,9 @@ template(`xserver_user_x_domain_template',`
+@@ -458,9 +493,9 @@ template(`xserver_user_x_domain_template',`
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
@ -35085,7 +35145,7 @@ index da2601a..ef2a773 100644
 	dontaudit $2 xdm_t:tcp_socket { read write };
 	# Allow connections to X server.
-@@ -472,20 +506,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +507,25 @@ template(`xserver_user_x_domain_template',`
 	# for .xsession-errors
 	userdom_dontaudit_write_user_home_content_files($2)
@ -35113,7 +35173,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -517,6 +556,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +557,7 @@ interface(`xserver_use_user_fonts',`
 	# Read per user fonts
 	allow $1 user_fonts_t:dir list_dir_perms;
 	allow $1 user_fonts_t:file read_file_perms;
@ -35121,7 +35181,7 @@ index da2601a..ef2a773 100644
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +585,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +586,28 @@ interface(`xserver_domtrans_xauth',`
 	')
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
@ -35150,7 +35210,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -598,6 +660,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +661,7 @@ interface(`xserver_read_user_xauth',`
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
@ -35158,7 +35218,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -615,7 +678,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +679,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
@ -35167,7 +35227,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -651,7 +714,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +715,7 @@ interface(`xserver_use_xdm_fds',`
 		type xdm_t;
 	')
@ -35176,7 +35236,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -670,7 +733,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +734,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
 		type xdm_t;
 	')
@ -35185,7 +35245,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -688,7 +751,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +752,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
@ -35194,7 +35254,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -703,12 +766,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +767,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
@ -35208,7 +35268,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -724,11 +786,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +787,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
@ -35223,7 +35283,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -765,7 +828,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +829,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
@ -35232,7 +35292,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -805,7 +868,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +869,7 @@ interface(`xserver_read_xdm_pid',`
 	')
 	files_search_pids($1)
@ -35241,7 +35301,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -897,7 +960,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +961,7 @@ interface(`xserver_getattr_log',`
 	')
 	logging_search_logs($1)
@ -35250,7 +35310,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -916,7 +979,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +980,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
@ -35259,7 +35319,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -963,6 +1026,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1027,45 @@ interface(`xserver_read_xkb_libs',`
 ########################################
 ## <summary>
@ -35305,7 +35365,7 @@ index da2601a..ef2a773 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -976,7 +1078,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1079,7 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
@ -35314,7 +35374,7 @@ index da2601a..ef2a773 100644
 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
-@@ -1052,7 +1154,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1155,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
@ -35323,7 +35383,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -1070,8 +1172,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1173,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
@ -35335,7 +35395,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -1185,6 +1289,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1290,7 @@ interface(`xserver_stream_connect',`
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -35343,7 +35403,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -1210,7 +1315,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1316,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -35352,7 +35412,7 @@ index da2601a..ef2a773 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1220,13 +1325,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1326,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -35377,7 +35437,7 @@ index da2601a..ef2a773 100644
 ')
 ########################################
-@@ -1243,10 +1358,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1359,355 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -35736,7 +35796,7 @@ index da2601a..ef2a773 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..c80794b 100644
+index e226da4..6c6f684 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,27 +26,43 @@ gen_require(`
@ -36294,7 +36354,7 @@ index e226da4..c80794b 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -473,10 +640,25 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,9 +640,25 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -36308,7 +36368,8 @@ index e226da4..c80794b 100644
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
- 
+xserver_domtrans_xauth(xdm_t)
 +
 +ifndef(`distro_redhat',`
 +	allow xdm_t self:process { execheap execmem };
 +')
@ -36316,11 +36377,10 @@ index e226da4..c80794b 100644
 +ifdef(`distro_rhel4',`
 +	allow xdm_t self:process { execheap execmem };
 +')
-+
+ 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
- 	fs_manage_nfs_files(xdm_t)
+@@ -504,11 +687,17 @@ tunable_policy(`xdm_sysadm_login',`
@@ -504,11 +686,17 @@ tunable_policy(`xdm_sysadm_login',`
 ')
 optional_policy(`
@ -36338,7 +36398,7 @@ index e226da4..c80794b 100644
 ')
 optional_policy(`
-@@ -516,12 +704,49 @@ optional_policy(`
+@@ -516,12 +705,49 @@ optional_policy(`
 ')
 optional_policy(`
@ -36388,7 +36448,7 @@ index e226da4..c80794b 100644
 	hostname_exec(xdm_t)
 ')
-@@ -539,28 +764,63 @@ optional_policy(`
+@@ -539,28 +765,63 @@ optional_policy(`
 ')
 optional_policy(`
@ -36461,7 +36521,7 @@ index e226da4..c80794b 100644
 ')
 optional_policy(`
-@@ -572,6 +832,10 @@ optional_policy(`
+@@ -572,6 +833,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -36472,7 +36532,7 @@ index e226da4..c80794b 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -596,7 +860,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +861,7 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -36481,7 +36541,7 @@ index e226da4..c80794b 100644
 dontaudit xserver_t self:capability chown;
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
-@@ -610,6 +874,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +875,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -36496,7 +36556,7 @@ index e226da4..c80794b 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +901,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +902,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -36518,7 +36578,7 @@ index e226da4..c80794b 100644
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +921,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +922,7 @@ kernel_read_modprobe_sysctls(xserver_t)
 # Xorg wants to check if kernel is tainted
 kernel_read_kernel_sysctls(xserver_t)
 kernel_write_proc_files(xserver_t)
@ -36526,7 +36586,7 @@ index e226da4..c80794b 100644
 # Run helper programs in xserver_t.
 corecmd_exec_bin(xserver_t)
-@@ -668,7 +948,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +949,6 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -36534,7 +36594,7 @@ index e226da4..c80794b 100644
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
 # raw memory access is needed if not using the frame buffer
-@@ -678,8 +957,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +958,13 @@ dev_wx_raw_memory(xserver_t)
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -36548,7 +36608,7 @@ index e226da4..c80794b 100644
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
 files_read_usr_files(xserver_t)
-@@ -693,8 +977,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +978,13 @@ fs_getattr_xattr_fs(xserver_t)
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -36562,7 +36622,7 @@ index e226da4..c80794b 100644
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1005,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1006,14 @@ logging_send_audit_msgs(xserver_t)
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -36577,7 +36637,7 @@ index e226da4..c80794b 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1065,28 @@ optional_policy(`
+@@ -773,12 +1066,28 @@ optional_policy(`
 ')
 optional_policy(`
@ -36607,7 +36667,7 @@ index e226da4..c80794b 100644
 	unconfined_domtrans(xserver_t)
 ')
-@@ -787,6 +1095,10 @@ optional_policy(`
+@@ -787,6 +1096,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -36618,7 +36678,7 @@ index e226da4..c80794b 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -802,10 +1114,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1115,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -36632,7 +36692,7 @@ index e226da4..c80794b 100644
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1125,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1126,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 # Run xkbcomp.
@ -36641,7 +36701,7 @@ index e226da4..c80794b 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -826,6 +1138,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1139,9 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -36651,7 +36711,7 @@ index e226da4..c80794b 100644
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1156,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1157,14 @@ tunable_policy(`use_samba_home_dirs',`
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -36668,7 +36728,7 @@ index e226da4..c80794b 100644
 ')
 optional_policy(`
-@@ -853,6 +1171,10 @@ optional_policy(`
+@@ -853,6 +1172,10 @@ optional_policy(`
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
@ -36679,7 +36739,7 @@ index e226da4..c80794b 100644
 ########################################
 #
 # Rules common to all X window domains
-@@ -896,7 +1218,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1219,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -36688,7 +36748,7 @@ index e226da4..c80794b 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1272,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1273,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -36720,7 +36780,7 @@ index e226da4..c80794b 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -976,18 +1318,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1319,32 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 5%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,23 @@ exit 0
 %endif
 %changelog
 * Mon Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-7
 - Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
 - Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
 - Allow confined users to read xdm_etc_t files
 - Allow xdm_t to transition to xauth_t for lxdm program
 * Sun Sep 26 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-6
 - Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
 - Allow clamd to send signals to itself
 - Allow mozilla_plugin_t to read user home content.  And unlink pulseaudio shm.
 - Allow haze to connect to yahoo chat and messenger port tcp:5050.
 Bz #637339
 - Allow guest to run ps command on its processes by allowing it to read /proc
 - Allow firewallgui to sys_rawio which seems to be required to setup masqerading
 - Allow all domains to search through default_t directories, in order to find differnet labels.  For example people serring up /foo/bar to be share via samba.
 - Add label for /var/log/slim.log
 * Fri Sep 24 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-5
 - Pull in cleanups from dgrift
 - Allow mozilla_plugin_t to execute mozilla_home_t