- Begin adding policy to separate setsebool from semanage

- Fix xserver.if definition to not break sepolgen.if
2007-07-12 21:37:30 +00:00 · 2007-07-12 21:37:30 +00:00 · 7e3506426b
commit 7e3506426b
parent 16d9531977
2 changed files with 229 additions and 170 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -6685,18 +6685,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/services/xserver.if	2007-07-12 09:36:57.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/services/xserver.if	2007-07-12 17:01:56.000000000 -0400
-@@ -353,9 +353,6 @@
+@@ -353,12 +353,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
 -	allow $2 $1_xauth_home_t:file manage_file_perms;
 -	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 -
- 	allow xdm_t $1_xauth_home_t:file manage_file_perms;
+-	allow xdm_t $1_xauth_home_t:file manage_file_perms;
- 	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
+-	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
 -
 	domain_use_interactive_fds($1_xauth_t)
-@@ -387,6 +384,14 @@
+ 	files_read_etc_files($1_xauth_t)
@@ -387,6 +381,14 @@
 	')
 	optional_policy(`
@ -6711,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 		nis_use_ypbind($1_xauth_t)
 	')
-@@ -537,16 +542,14 @@
+@@ -537,16 +539,14 @@
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
@ -6730,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -555,6 +558,8 @@
+@@ -555,25 +555,40 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
@ -6739,8 +6742,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# Allow connections to X server.
 	files_search_tmp($2)
-@@ -565,15 +570,26 @@
+ 	miscfiles_read_fonts($2)
- 	userdom_dontaudit_write_user_home_content_files($1,$2)
+ 
 	userdom_search_user_home_dirs($1,$2)
 -	# for .xsession-errors
 -	userdom_dontaudit_write_user_home_content_files($1,$2)
 +	userdom_manage_user_home_content_dirs($1, xdm_t)
 +	userdom_manage_user_home_content_files($1, xdm_t)
 +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
 	xserver_ro_session_template(xdm,$2,$3)
 -	xserver_rw_session_template($1,$2,$3)
@ -6754,6 +6763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
 +	xserver_xdm_stream_connect($2)
 +
 +
 +	# Read .Xauthority file
 +	optional_policy(`
 +		xserver_read_user_xauth($1, $2)
@ -6772,7 +6782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
-@@ -626,6 +642,24 @@
+@@ -626,6 +641,24 @@
 ########################################
 ## <summary>
@ -6797,7 +6807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -659,6 +693,73 @@
+@@ -659,6 +692,73 @@
 ########################################
 ## <summary>
@ -6871,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -1136,7 +1237,7 @@
+@@ -1136,7 +1236,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -6880,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -1325,3 +1426,24 @@
+@@ -1325,3 +1425,23 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -6904,7 +6914,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	allow $1 xdm_var_run_t:sock_file write;
 +	allow $1 xdm_t:unix_stream_socket connectto;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-07-03 07:06:27.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/services/xserver.te	2007-07-11 10:06:28.000000000 -0400
@ -7563,8 +7572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.2/policy/modules/system/brctl.te
 --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.2/policy/modules/system/brctl.te	2007-07-11 10:06:28.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/brctl.te	2007-07-12 15:49:33.000000000 -0400
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,41 @@
 +policy_module(brctl,1.0.0)
 +
 +########################################
@ -7582,10 +7591,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +# brctl local policy
 +#
 +
 +allow brctl_t self:tcp_socket create_socket_perms;
 +allow brctl_t self:unix_dgram_socket create_socket_perms;
 +
 +# Init script handling
 +domain_use_interactive_fds(brctl_t)
 +
 +kernel_load_module(brctl_t)
 +kernel_read_network_state(brctl_t)
 +
 +## internal communication is often done using fifo and unix sockets.
 +allow brctl_t self:fifo_file rw_file_perms;
@ -7602,7 +7615,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
 +	term_dontaudit_use_unallocated_ttys(brctl_t)
 +	term_dontaudit_use_generic_ptys(brctl_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-06-11 16:05:30.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/system/fstools.fc	2007-07-11 10:06:28.000000000 -0400
@ -8931,7 +8943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if	2007-07-11 10:06:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if	2007-07-12 10:58:12.000000000 -0400
@@ -432,6 +432,7 @@
 	role $2 types run_init_t;
 	allow run_init_t $3:chr_file rw_term_perms;
@ -8940,6 +8952,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 ')
 ########################################
@@ -968,6 +969,26 @@
 ########################################
 ## <summary>
 +##	Execute a domain transition to run setsebool.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed to transition.
 +##	</summary>
 +## </param>
 +#
 +interface(`seutil_domtrans_setsebool',`
 +	gen_require(`
 +		type semanage_t, setsebool_exec_t;
 +	')
 +
 +	files_search_usr($1)
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1,setsebool_exec_t,semanage_t)
 +')
 +
 +########################################
 +## <summary>
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
@@ -979,7 +1000,7 @@
 ## </param>
 ## <param name="role">
 ##	<summary>
 -##	The role to be allowed the checkpolicy domain.
 +##	The role to be allowed the semanage domain.
 ##	</summary>
 ## </param>
 ## <param name="terminal">
@@ -1001,6 +1022,39 @@
 ########################################
 ## <summary>
 +##	Execute setsebool in the semanage domain, and
 +##	allow the specified role the semanage domain,
 +##	and use the caller's terminal.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed the semanage domain.
 +##	</summary>
 +## </param>
 +## <param name="terminal">
 +##	<summary>
 +##	The type of the terminal allow the semanage domain to use.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
 +interface(`seutil_run_setsebool',`
 +	gen_require(`
 +		type semanage_t;
 +	')
 +
 +	seutil_domtrans_setsebool($1)
 +	role $2 types semanage_t;
 +	allow semanage_t $3:chr_file rw_term_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Full management of the semanage
 ##	module store.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-05-30 11:47:29.000000000 -0400
 +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te	2007-07-12 09:43:18.000000000 -0400
@ -9488,7 +9576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/unconfined.te	2007-07-11 10:06:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/unconfined.te	2007-07-12 10:58:38.000000000 -0400
@@ -5,30 +5,36 @@
 #
 # Declarations
@ -9542,13 +9630,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -44,23 +51,21 @@
+@@ -44,23 +51,22 @@
 logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +# Unconfined running as system_r
 +mount_domtrans_unconfined(unconfined_t)
 +seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -9570,7 +9659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -68,16 +73,6 @@
+@@ -68,16 +74,6 @@
 ')
 optional_policy(`
@ -9587,7 +9676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	init_dbus_chat_script(unconfined_t)
 	dbus_stub(unconfined_t)
-@@ -120,11 +115,7 @@
+@@ -120,11 +116,7 @@
 ')
 optional_policy(`
@ -9600,7 +9689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -136,11 +127,7 @@
+@@ -136,11 +128,7 @@
 ')
 optional_policy(`
@ -9613,7 +9702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -157,18 +144,6 @@
+@@ -157,18 +145,6 @@
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -9632,7 +9721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -182,10 +157,6 @@
+@@ -182,10 +158,6 @@
 ')
 optional_policy(`
@ -9643,7 +9732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 	sysnet_dbus_chat_dhcpc(unconfined_t)
 ')
-@@ -207,7 +178,7 @@
+@@ -207,7 +179,7 @@
 ')
 optional_policy(`
@ -9652,7 +9741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -229,6 +200,12 @@
+@@ -229,6 +201,12 @@
 	unconfined_dbus_chat(unconfined_execmem_t)
 	optional_policy(`
@ -9667,7 +9756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/userdomain.if	2007-07-11 10:06:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/userdomain.if	2007-07-12 17:08:16.000000000 -0400
@@ -62,6 +62,10 @@
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -9996,7 +10085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
-@@ -962,21 +876,122 @@
+@@ -962,21 +876,158 @@
 ##	</summary>
 ## </param>
 #
@ -10017,6 +10106,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
 +')
 +
 +#######################################
 +## <summary>
 +##	The template for creating a login user.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a user domain, types, and
 +##	rules for the user's tty, pty, home directories,
 +##	tmp, and tmpfs files.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
 +##	is the prefix for user_t).
 +##	</summary>
 +## </param>
 +#
 +template(`userdom_login_user_template', `
 +	userdom_base_user_template($1)
 +
@ -10112,6 +10219,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +')
 +
 +#######################################
 +## <summary>
 +##	The template for creating a unprivileged login user.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a user domain, types, and
 +##	rules for the user's tty, pty, home directories,
 +##	tmp, and tmpfs files.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
 +##	is the prefix for user_t).
 +##	</summary>
 +## </param>
 +#
 +template(`userdom_unpriv_login_user', `
 +	gen_require(`
 +		attribute unpriv_userdomain;
@ -10125,7 +10250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1000,45 @@
+@@ -985,15 +1036,45 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
@ -10175,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1033,14 +1078,6 @@
+@@ -1033,14 +1114,6 @@
 	')
 	optional_policy(`
@ -10190,7 +10315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
-@@ -1054,12 +1091,8 @@
+@@ -1054,12 +1127,8 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -10204,7 +10329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# Do not audit write denials to /etc/ld.so.cache.
 	dontaudit $1_t ld_so_cache_t:file write;
-@@ -1102,6 +1135,8 @@
+@@ -1102,6 +1171,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@ -10213,7 +10338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1162,7 @@
+@@ -1127,7 +1198,7 @@
 	# $1_t local policy
 	#
@ -10222,7 +10347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 	# Set password information for other users.
-@@ -1139,8 +1174,6 @@
+@@ -1139,8 +1210,6 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
@ -10231,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
-@@ -3078,7 +3111,7 @@
+@@ -3078,7 +3147,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -10240,7 +10365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5356,7 @@
+@@ -5323,7 +5392,7 @@
 		attribute user_tmpfile;
 	')
@ -10249,7 +10374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5548,6 +5581,26 @@
+@@ -5548,6 +5617,26 @@
 ########################################
 ## <summary>
@ -10276,7 +10401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Unconfined access to user domains.  (Deprecated)
 ## </summary>
 ## <param name="domain">
-@@ -5559,3 +5612,124 @@
+@@ -5559,3 +5648,173 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -10401,9 +10526,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	allow $1 user_home_type:file unlink;
 +')
 +
 +#######################################
 +## <summary>
 +##	The template for creating a unprivileged login user.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a user domain, types, and
 +##	rules for the user's tty, pty, home directories,
 +##	tmp, and tmpfs files.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
 +##	is the prefix for user_t).
 +##	</summary>
 +## </param>
 +#
 +template(`userdom_unpriv_xwindows_login_user', `
 +
 +userdom_unpriv_login_user($1)
 +userdom_xwindows_client_template($1)
 +
 +auth_exec_pam($1_t)
 +logging_send_syslog_msg($1_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config($1_t)
 +')
 +authlogin_per_role_template($1, $1_t, $1_r)
 +
 +optional_policy(`
 +	dbus_per_role_template($1, $1_t, $1_r)
 +	dbus_system_bus_client_template($1, $1_t)
 +	allow $1_t self:dbus send_msg;
 +')
 +
 +optional_policy(`
 +	ssh_per_role_template($1, $1_t, $1_r)
 +')
 +
 +optional_policy(`
 +	setroubleshoot_dontaudit_stream_connect($1_t)
 +')
 +
 +#dev_read_rand($1_t)
 +
 +')
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.2/policy/modules/system/userdomain.te	2007-07-11 10:06:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/system/userdomain.te	2007-07-12 10:51:56.000000000 -0400
@@ -74,6 +74,9 @@
 # users home directory contents
 attribute home_type;
@ -10477,7 +10651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	netutils_run(sysadm_t,sysadm_r,admin_terminal)
 	netutils_run_ping(sysadm_t,sysadm_r,admin_terminal)
 	netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
-@@ -456,6 +457,9 @@
+@@ -451,11 +452,15 @@
 ')
 optional_policy(`
 +	seutil_run_setsebool(sysadm_t,sysadm_r,admin_terminal)
 	seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
 	seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
 	ifdef(`enable_mls',`
 		userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
@ -10487,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	', `
 		userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
 	')
-@@ -498,3 +502,7 @@
+@@ -498,3 +503,7 @@
 optional_policy(`
 	yam_run(sysadm_t,sysadm_r,admin_terminal)
 ')
@ -10541,135 +10721,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.2/policy/modules/users/guest.te	2007-07-11 10:06:29.000000000 -0400
+++ serefpolicy-3.0.2/policy/modules/users/guest.te	2007-07-12 17:31:09.000000000 -0400
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,5 @@
 +policy_module(guest,1.0.0)
 +
 +define(`userdom_login_user', `
 +	userdom_base_user_template($1)
 +
 +	userdom_manage_home_template($1)
 +	userdom_exec_home_template($1)
 +	userdom_manage_tmp_template($1)
 +	userdom_exec_tmp_template($1)
 +	userdom_manage_tmpfs_template($1)
 +
 +	userdom_change_password_template($1)
 +
 +	role $1_r types $1_t;
 +	allow system_r $1_r;
 +
 +	application_exec_all($1_t)
 +
 +	allow $1_t self:capability { setgid chown fowner };
 +	dontaudit $1_t self:capability { sys_nice fsetid };
 +	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
 +	
 +	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 +
 +	##############################
 +	#
 +	# User domain Local policy
 +	#
 +
 +	kernel_read_system_state($1_t)
 +
 +	dev_read_sysfs($1_t)
 +	dev_read_urand($1_t)
 +
 +	domain_use_interactive_fds($1_t)
 +	# Command completion can fire hundreds of denials
 +	domain_dontaudit_exec_all_entry_files($1_t)
 +
 +	# Stat lost+found.
 +	files_getattr_lost_found_dirs($1_t)
 +
 +	fs_get_all_fs_quotas($1_t)
 +	fs_getattr_all_fs($1_t)
 +	fs_getattr_all_dirs($1_t)
 +	fs_search_auto_mountpoints($1_t)
 +	fs_list_inotifyfs($1_t)
 +
 +	# Stop warnings about access to /dev/console
 +	init_dontaudit_rw_utmp($1_t)
 +	init_dontaudit_use_fds($1_t)
 +	init_dontaudit_use_script_fds($1_t)
 +
 +	libs_exec_lib_files($1_t)
 +
 +	logging_dontaudit_getattr_all_logs($1_t)
 +
 +	miscfiles_read_man_pages($1_t)
 +	# for running TeX programs
 +	miscfiles_read_tetex_data($1_t)
 +	miscfiles_exec_tetex_data($1_t)
 +
 +	seutil_read_config($1_t)
 +
 +	files_dontaudit_list_default($1_t)
 +	files_dontaudit_read_default_files($1_t)
 +
 +	tunable_policy(`user_ttyfile_stat',`
 +		term_getattr_all_user_ttys($1_t)
 +	')
 +
 +	# for running depmod as part of the kernel packaging process
 +	optional_policy(`
 +		modutils_read_module_config($1_t)
 +	')
 +
 +	optional_policy(`
 +		mta_rw_spool($1_t)
 +	')
 +
 +	optional_policy(`
 +		nis_use_ypbind($1_t)
 +	')
 +
 +	optional_policy(`
 +		nscd_socket_use($1_t)
 +	')
 +
 +	optional_policy(`
 +		quota_dontaudit_getattr_db($1_t)
 +	')
 +
 +	optional_policy(`
 +		rpm_read_db($1_t)
 +		rpm_dontaudit_manage_db($1_t)
 +	')
 +')
 +
 +define(`userdom_unpriv_login_user', `
 +	gen_require(`
 +		attribute unpriv_userdomain;
 +		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 +	')
 +	userdom_login_user($1)
 +	userdom_privhome_user_template($1)
 +
 +	typeattribute $1_t unpriv_userdomain;
 +	
 +	typeattribute $1_t unpriv_userdomain;
 +	domain_interactive_fd($1_t)
 +
 +	typeattribute $1_devpts_t user_ptynode;
 +	typeattribute $1_home_dir_t user_home_dir_type;
 +	typeattribute $1_home_t user_home_type;
 +	typeattribute $1_tmp_t user_tmpfile;
 +	typeattribute $1_tty_device_t user_ttynode;
 +
 +')
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
-+#userdom_basic_networking_template(guest)
+userdom_unpriv_xwindows_login_user(xguest)
-+#kernel_read_network_state($1_t)
+mozilla_per_role_template(xguest, xguest_t, xguest_r)
 +#kernel_read_net_sysctls($1_t)
 +#corenet_udp_bind_all_nodes($1_t)
 +#corenet_udp_bind_generic_port($1_t)
 +
 +
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.2/policy/modules/users/logadm.fc	2007-07-11 10:06:29.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -356,7 +356,8 @@ exit 0
 %endif
 %changelog
-* Thu Jul 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-6
+* Thu Jul 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-7
 - Begin adding policy to separate setsebool from semanage
 - Fix xserver.if definition to not break sepolgen.if
 * Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-5