- Begin adding policy to separate setsebool from semanage
- Fix xserver.if definition to not break sepolgen.if
This commit is contained in:
		
							parent
							
								
									16d9531977
								
							
						
					
					
						commit
						7e3506426b
					
				| @ -6685,18 +6685,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|   |   | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if
 | ||||||
| --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
 | --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/services/xserver.if	2007-07-12 09:36:57.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/services/xserver.if	2007-07-12 17:01:56.000000000 -0400
 | ||||||
| @@ -353,9 +353,6 @@
 | @@ -353,12 +353,6 @@
 | ||||||
|  	# allow ps to show xauth |  	# allow ps to show xauth | ||||||
|  	ps_process_pattern($2,$1_xauth_t) |  	ps_process_pattern($2,$1_xauth_t) | ||||||
|   |   | ||||||
| -	allow $2 $1_xauth_home_t:file manage_file_perms;
 | -	allow $2 $1_xauth_home_t:file manage_file_perms;
 | ||||||
| -	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 | -	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
 | ||||||
| -
 | -
 | ||||||
|  	allow xdm_t $1_xauth_home_t:file manage_file_perms; | -	allow xdm_t $1_xauth_home_t:file manage_file_perms;
 | ||||||
|  	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) | -	userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
 | ||||||
|  | -
 | ||||||
|  |  	domain_use_interactive_fds($1_xauth_t) | ||||||
|   |   | ||||||
| @@ -387,6 +384,14 @@
 |  	files_read_etc_files($1_xauth_t) | ||||||
|  | @@ -387,6 +381,14 @@
 | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @ -6711,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  		nis_use_ypbind($1_xauth_t) |  		nis_use_ypbind($1_xauth_t) | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @@ -537,16 +542,14 @@
 | @@ -537,16 +539,14 @@
 | ||||||
|   |   | ||||||
|  	gen_require(` |  	gen_require(` | ||||||
|  		type xdm_t, xdm_tmp_t; |  		type xdm_t, xdm_tmp_t; | ||||||
| @ -6730,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|   |   | ||||||
|  	# for when /tmp/.X11-unix is created by the system |  	# for when /tmp/.X11-unix is created by the system | ||||||
|  	allow $2 xdm_t:fd use; |  	allow $2 xdm_t:fd use; | ||||||
| @@ -555,6 +558,8 @@
 | @@ -555,25 +555,40 @@
 | ||||||
|  	allow $2 xdm_tmp_t:sock_file { read write }; |  	allow $2 xdm_tmp_t:sock_file { read write }; | ||||||
|  	dontaudit $2 xdm_t:tcp_socket { read write }; |  	dontaudit $2 xdm_t:tcp_socket { read write }; | ||||||
|   |   | ||||||
| @ -6739,8 +6742,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  	# Allow connections to X server. |  	# Allow connections to X server. | ||||||
|  	files_search_tmp($2) |  	files_search_tmp($2) | ||||||
|   |   | ||||||
| @@ -565,15 +570,26 @@
 |  	miscfiles_read_fonts($2) | ||||||
|  	userdom_dontaudit_write_user_home_content_files($1,$2) |   | ||||||
|  |  	userdom_search_user_home_dirs($1,$2) | ||||||
|  | -	# for .xsession-errors
 | ||||||
|  | -	userdom_dontaudit_write_user_home_content_files($1,$2)
 | ||||||
|  | +	userdom_manage_user_home_content_dirs($1, xdm_t)
 | ||||||
|  | +	userdom_manage_user_home_content_files($1, xdm_t)
 | ||||||
|  | +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
 | ||||||
|   |   | ||||||
|  	xserver_ro_session_template(xdm,$2,$3) |  	xserver_ro_session_template(xdm,$2,$3) | ||||||
| -	xserver_rw_session_template($1,$2,$3)
 | -	xserver_rw_session_template($1,$2,$3)
 | ||||||
| @ -6754,6 +6763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
| -		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
 | -		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
 | ||||||
| +	xserver_xdm_stream_connect($2)
 | +	xserver_xdm_stream_connect($2)
 | ||||||
| +
 | +
 | ||||||
|  | +
 | ||||||
| +	# Read .Xauthority file
 | +	# Read .Xauthority file
 | ||||||
| +	optional_policy(`
 | +	optional_policy(`
 | ||||||
| +		xserver_read_user_xauth($1, $2)
 | +		xserver_read_user_xauth($1, $2)
 | ||||||
| @ -6772,7 +6782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  	') |  	') | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
| @@ -626,6 +642,24 @@
 | @@ -626,6 +641,24 @@
 | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
|  ## <summary> |  ## <summary> | ||||||
| @ -6797,7 +6807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  ##	Transition to a user Xauthority domain. |  ##	Transition to a user Xauthority domain. | ||||||
|  ## </summary> |  ## </summary> | ||||||
|  ## <desc> |  ## <desc> | ||||||
| @@ -659,6 +693,73 @@
 | @@ -659,6 +692,73 @@
 | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
|  ## <summary> |  ## <summary> | ||||||
| @ -6871,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  ##	Transition to a user Xauthority domain. |  ##	Transition to a user Xauthority domain. | ||||||
|  ## </summary> |  ## </summary> | ||||||
|  ## <desc> |  ## <desc> | ||||||
| @@ -1136,7 +1237,7 @@
 | @@ -1136,7 +1236,7 @@
 | ||||||
|  		type xdm_xserver_tmp_t; |  		type xdm_xserver_tmp_t; | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @ -6880,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
| @@ -1325,3 +1426,24 @@
 | @@ -1325,3 +1425,23 @@
 | ||||||
|  	files_search_tmp($1) |  	files_search_tmp($1) | ||||||
|  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) |  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) | ||||||
|  ') |  ') | ||||||
| @ -6904,7 +6914,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser | |||||||
| +	allow $1 xdm_var_run_t:sock_file write;
 | +	allow $1 xdm_var_run_t:sock_file write;
 | ||||||
| +	allow $1 xdm_t:unix_stream_socket connectto;
 | +	allow $1 xdm_t:unix_stream_socket connectto;
 | ||||||
| +')
 | +')
 | ||||||
| +
 |  | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te
 | ||||||
| --- nsaserefpolicy/policy/modules/services/xserver.te	2007-07-03 07:06:27.000000000 -0400
 | --- nsaserefpolicy/policy/modules/services/xserver.te	2007-07-03 07:06:27.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/services/xserver.te	2007-07-11 10:06:28.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/services/xserver.te	2007-07-11 10:06:28.000000000 -0400
 | ||||||
| @ -7563,8 +7572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. | |||||||
| +')
 | +')
 | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.2/policy/modules/system/brctl.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.2/policy/modules/system/brctl.te
 | ||||||
| --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
 | --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/brctl.te	2007-07-11 10:06:28.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/brctl.te	2007-07-12 15:49:33.000000000 -0400
 | ||||||
| @@ -0,0 +1,38 @@
 | @@ -0,0 +1,41 @@
 | ||||||
| +policy_module(brctl,1.0.0)
 | +policy_module(brctl,1.0.0)
 | ||||||
| +
 | +
 | ||||||
| +########################################
 | +########################################
 | ||||||
| @ -7582,10 +7591,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. | |||||||
| +# brctl local policy
 | +# brctl local policy
 | ||||||
| +#
 | +#
 | ||||||
| +
 | +
 | ||||||
|  | +allow brctl_t self:tcp_socket create_socket_perms;
 | ||||||
|  | +allow brctl_t self:unix_dgram_socket create_socket_perms;
 | ||||||
|  | +
 | ||||||
| +# Init script handling
 | +# Init script handling
 | ||||||
| +domain_use_interactive_fds(brctl_t)
 | +domain_use_interactive_fds(brctl_t)
 | ||||||
| +
 | +
 | ||||||
| +kernel_load_module(brctl_t)
 | +kernel_load_module(brctl_t)
 | ||||||
|  | +kernel_read_network_state(brctl_t)
 | ||||||
| +
 | +
 | ||||||
| +## internal communication is often done using fifo and unix sockets.
 | +## internal communication is often done using fifo and unix sockets.
 | ||||||
| +allow brctl_t self:fifo_file rw_file_perms;
 | +allow brctl_t self:fifo_file rw_file_perms;
 | ||||||
| @ -7602,7 +7615,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. | |||||||
| +	term_dontaudit_use_unallocated_ttys(brctl_t)
 | +	term_dontaudit_use_unallocated_ttys(brctl_t)
 | ||||||
| +	term_dontaudit_use_generic_ptys(brctl_t)
 | +	term_dontaudit_use_generic_ptys(brctl_t)
 | ||||||
| +')
 | +')
 | ||||||
| +
 |  | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc
 | ||||||
| --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-06-11 16:05:30.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/fstools.fc	2007-06-11 16:05:30.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/fstools.fc	2007-07-11 10:06:28.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/fstools.fc	2007-07-11 10:06:28.000000000 -0400
 | ||||||
| @ -8931,7 +8943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu | |||||||
|  # |  # | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if
 | ||||||
| --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-30 11:47:29.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-30 11:47:29.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if	2007-07-12 10:58:12.000000000 -0400
 | ||||||
| @@ -432,6 +432,7 @@
 | @@ -432,6 +432,7 @@
 | ||||||
|  	role $2 types run_init_t; |  	role $2 types run_init_t; | ||||||
|  	allow run_init_t $3:chr_file rw_term_perms; |  	allow run_init_t $3:chr_file rw_term_perms; | ||||||
| @ -8940,6 +8952,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
|  | @@ -968,6 +969,26 @@
 | ||||||
|  |   | ||||||
|  |  ######################################## | ||||||
|  |  ## <summary> | ||||||
|  | +##	Execute a domain transition to run setsebool.
 | ||||||
|  | +## </summary>
 | ||||||
|  | +## <param name="domain">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	Domain allowed to transition.
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +#
 | ||||||
|  | +interface(`seutil_domtrans_setsebool',`
 | ||||||
|  | +	gen_require(`
 | ||||||
|  | +		type semanage_t, setsebool_exec_t;
 | ||||||
|  | +	')
 | ||||||
|  | +
 | ||||||
|  | +	files_search_usr($1)
 | ||||||
|  | +	corecmd_search_bin($1)
 | ||||||
|  | +	domtrans_pattern($1,setsebool_exec_t,semanage_t)
 | ||||||
|  | +')
 | ||||||
|  | +
 | ||||||
|  | +########################################
 | ||||||
|  | +## <summary>
 | ||||||
|  |  ##	Execute semanage in the semanage domain, and | ||||||
|  |  ##	allow the specified role the semanage domain, | ||||||
|  |  ##	and use the caller's terminal. | ||||||
|  | @@ -979,7 +1000,7 @@
 | ||||||
|  |  ## </param> | ||||||
|  |  ## <param name="role"> | ||||||
|  |  ##	<summary> | ||||||
|  | -##	The role to be allowed the checkpolicy domain.
 | ||||||
|  | +##	The role to be allowed the semanage domain.
 | ||||||
|  |  ##	</summary> | ||||||
|  |  ## </param> | ||||||
|  |  ## <param name="terminal"> | ||||||
|  | @@ -1001,6 +1022,39 @@
 | ||||||
|  |   | ||||||
|  |  ######################################## | ||||||
|  |  ## <summary> | ||||||
|  | +##	Execute setsebool in the semanage domain, and
 | ||||||
|  | +##	allow the specified role the semanage domain,
 | ||||||
|  | +##	and use the caller's terminal.
 | ||||||
|  | +## </summary>
 | ||||||
|  | +## <param name="domain">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	Domain allowed access.
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +## <param name="role">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	The role to be allowed the semanage domain.
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +## <param name="terminal">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	The type of the terminal allow the semanage domain to use.
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +## <rolecap/>
 | ||||||
|  | +#
 | ||||||
|  | +interface(`seutil_run_setsebool',`
 | ||||||
|  | +	gen_require(`
 | ||||||
|  | +		type semanage_t;
 | ||||||
|  | +	')
 | ||||||
|  | +
 | ||||||
|  | +	seutil_domtrans_setsebool($1)
 | ||||||
|  | +	role $2 types semanage_t;
 | ||||||
|  | +	allow semanage_t $3:chr_file rw_term_perms;
 | ||||||
|  | +')
 | ||||||
|  | +
 | ||||||
|  | +########################################
 | ||||||
|  | +## <summary>
 | ||||||
|  |  ##	Full management of the semanage | ||||||
|  |  ##	module store. | ||||||
|  |  ## </summary> | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te
 | ||||||
| --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-05-30 11:47:29.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-05-30 11:47:29.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te	2007-07-12 09:43:18.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te	2007-07-12 09:43:18.000000000 -0400
 | ||||||
| @ -9488,7 +9576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
| +')
 | +')
 | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te
 | ||||||
| --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-06-15 14:54:34.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-06-15 14:54:34.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/unconfined.te	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/unconfined.te	2007-07-12 10:58:38.000000000 -0400
 | ||||||
| @@ -5,30 +5,36 @@
 | @@ -5,30 +5,36 @@
 | ||||||
|  # |  # | ||||||
|  # Declarations |  # Declarations | ||||||
| @ -9542,13 +9630,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|   |   | ||||||
|  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
|   |   | ||||||
| @@ -44,23 +51,21 @@
 | @@ -44,23 +51,22 @@
 | ||||||
|  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
|   |   | ||||||
|  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
| +# Unconfined running as system_r
 | +# Unconfined running as system_r
 | ||||||
| +mount_domtrans_unconfined(unconfined_t)
 | +mount_domtrans_unconfined(unconfined_t)
 | ||||||
|   |   | ||||||
|  | +seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 | ||||||
|  seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
|  seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
|   |   | ||||||
| @ -9570,7 +9659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -68,16 +73,6 @@
 | @@ -68,16 +74,6 @@
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -9587,7 +9676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  	init_dbus_chat_script(unconfined_t) |  	init_dbus_chat_script(unconfined_t) | ||||||
|   |   | ||||||
|  	dbus_stub(unconfined_t) |  	dbus_stub(unconfined_t) | ||||||
| @@ -120,11 +115,7 @@
 | @@ -120,11 +116,7 @@
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -9600,7 +9689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -136,11 +127,7 @@
 | @@ -136,11 +128,7 @@
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -9613,7 +9702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -157,18 +144,6 @@
 | @@ -157,18 +145,6 @@
 | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
| @ -9632,7 +9721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -182,10 +157,6 @@
 | @@ -182,10 +158,6 @@
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -9643,7 +9732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) |  	sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) | ||||||
|  	sysnet_dbus_chat_dhcpc(unconfined_t) |  	sysnet_dbus_chat_dhcpc(unconfined_t) | ||||||
|  ') |  ') | ||||||
| @@ -207,7 +178,7 @@
 | @@ -207,7 +179,7 @@
 | ||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @ -9652,7 +9741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
| @@ -229,6 +200,12 @@
 | @@ -229,6 +201,12 @@
 | ||||||
|  	unconfined_dbus_chat(unconfined_execmem_t) |  	unconfined_dbus_chat(unconfined_execmem_t) | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @ -9667,7 +9756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf | |||||||
| +corecmd_exec_all_executables(unconfined_t)
 | +corecmd_exec_all_executables(unconfined_t)
 | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if
 | ||||||
| --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/userdomain.if	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/userdomain.if	2007-07-12 17:08:16.000000000 -0400
 | ||||||
| @@ -62,6 +62,10 @@
 | @@ -62,6 +62,10 @@
 | ||||||
|   |   | ||||||
|  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; |  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; | ||||||
| @ -9996,7 +10085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  		samba_stream_connect_winbind($1_t) |  		samba_stream_connect_winbind($1_t) | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @@ -962,21 +876,122 @@
 | @@ -962,21 +876,158 @@
 | ||||||
|  ##	</summary> |  ##	</summary> | ||||||
|  ## </param> |  ## </param> | ||||||
|  # |  # | ||||||
| @ -10017,6 +10106,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
| +	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
 | +	filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
 | ||||||
| +')
 | +')
 | ||||||
| +
 | +
 | ||||||
|  | +#######################################
 | ||||||
|  | +## <summary>
 | ||||||
|  | +##	The template for creating a login user.
 | ||||||
|  | +## </summary>
 | ||||||
|  | +## <desc>
 | ||||||
|  | +##	<p>
 | ||||||
|  | +##	This template creates a user domain, types, and
 | ||||||
|  | +##	rules for the user's tty, pty, home directories,
 | ||||||
|  | +##	tmp, and tmpfs files.
 | ||||||
|  | +##	</p>
 | ||||||
|  | +## </desc>
 | ||||||
|  | +## <param name="userdomain_prefix">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	The prefix of the user domain (e.g., user
 | ||||||
|  | +##	is the prefix for user_t).
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +#
 | ||||||
| +template(`userdom_login_user_template', `
 | +template(`userdom_login_user_template', `
 | ||||||
| +	userdom_base_user_template($1)
 | +	userdom_base_user_template($1)
 | ||||||
| +
 | +
 | ||||||
| @ -10112,6 +10219,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
| +	')
 | +	')
 | ||||||
| +')
 | +')
 | ||||||
| +
 | +
 | ||||||
|  | +#######################################
 | ||||||
|  | +## <summary>
 | ||||||
|  | +##	The template for creating a unprivileged login user.
 | ||||||
|  | +## </summary>
 | ||||||
|  | +## <desc>
 | ||||||
|  | +##	<p>
 | ||||||
|  | +##	This template creates a user domain, types, and
 | ||||||
|  | +##	rules for the user's tty, pty, home directories,
 | ||||||
|  | +##	tmp, and tmpfs files.
 | ||||||
|  | +##	</p>
 | ||||||
|  | +## </desc>
 | ||||||
|  | +## <param name="userdomain_prefix">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	The prefix of the user domain (e.g., user
 | ||||||
|  | +##	is the prefix for user_t).
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +#
 | ||||||
| +template(`userdom_unpriv_login_user', `
 | +template(`userdom_unpriv_login_user', `
 | ||||||
| +	gen_require(`
 | +	gen_require(`
 | ||||||
| +		attribute unpriv_userdomain;
 | +		attribute unpriv_userdomain;
 | ||||||
| @ -10125,7 +10250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	domain_interactive_fd($1_t) |  	domain_interactive_fd($1_t) | ||||||
|   |   | ||||||
|  	typeattribute $1_devpts_t user_ptynode; |  	typeattribute $1_devpts_t user_ptynode; | ||||||
| @@ -985,15 +1000,45 @@
 | @@ -985,15 +1036,45 @@
 | ||||||
|  	typeattribute $1_tmp_t user_tmpfile; |  	typeattribute $1_tmp_t user_tmpfile; | ||||||
|  	typeattribute $1_tty_device_t user_ttynode; |  	typeattribute $1_tty_device_t user_ttynode; | ||||||
|   |   | ||||||
| @ -10175,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|   |   | ||||||
|  	# port access is audited even if dac would not have allowed it, so dontaudit it here |  	# port access is audited even if dac would not have allowed it, so dontaudit it here | ||||||
|  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) |  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) | ||||||
| @@ -1033,14 +1078,6 @@
 | @@ -1033,14 +1114,6 @@
 | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	optional_policy(` |  	optional_policy(` | ||||||
| @ -10190,7 +10315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) |  		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | ||||||
|  		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) |  		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) | ||||||
|  	') |  	') | ||||||
| @@ -1054,12 +1091,8 @@
 | @@ -1054,12 +1127,8 @@
 | ||||||
|  		setroubleshoot_stream_connect($1_t) |  		setroubleshoot_stream_connect($1_t) | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @ -10204,7 +10329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	# Do not audit write denials to /etc/ld.so.cache. |  	# Do not audit write denials to /etc/ld.so.cache. | ||||||
|  	dontaudit $1_t ld_so_cache_t:file write; |  	dontaudit $1_t ld_so_cache_t:file write; | ||||||
|   |   | ||||||
| @@ -1102,6 +1135,8 @@
 | @@ -1102,6 +1171,8 @@
 | ||||||
|  		class passwd { passwd chfn chsh rootok crontab }; |  		class passwd { passwd chfn chsh rootok crontab }; | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @ -10213,7 +10338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	############################## |  	############################## | ||||||
|  	# |  	# | ||||||
|  	# Declarations |  	# Declarations | ||||||
| @@ -1127,7 +1162,7 @@
 | @@ -1127,7 +1198,7 @@
 | ||||||
|  	# $1_t local policy |  	# $1_t local policy | ||||||
|  	# |  	# | ||||||
|   |   | ||||||
| @ -10222,7 +10347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	allow $1_t self:process { setexec setfscreate }; |  	allow $1_t self:process { setexec setfscreate }; | ||||||
|   |   | ||||||
|  	# Set password information for other users. |  	# Set password information for other users. | ||||||
| @@ -1139,8 +1174,6 @@
 | @@ -1139,8 +1210,6 @@
 | ||||||
|  	# Manipulate other users crontab. |  	# Manipulate other users crontab. | ||||||
|  	allow $1_t self:passwd crontab; |  	allow $1_t self:passwd crontab; | ||||||
|   |   | ||||||
| @ -10231,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	kernel_read_software_raid_state($1_t) |  	kernel_read_software_raid_state($1_t) | ||||||
|  	kernel_getattr_core_if($1_t) |  	kernel_getattr_core_if($1_t) | ||||||
|  	kernel_getattr_message_if($1_t) |  	kernel_getattr_message_if($1_t) | ||||||
| @@ -3078,7 +3111,7 @@
 | @@ -3078,7 +3147,7 @@
 | ||||||
|  # |  # | ||||||
|  template(`userdom_tmp_filetrans_user_tmp',` |  template(`userdom_tmp_filetrans_user_tmp',` | ||||||
|  	gen_require(` |  	gen_require(` | ||||||
| @ -10240,7 +10365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	') |  	') | ||||||
|   |   | ||||||
|  	files_tmp_filetrans($2,$1_tmp_t,$3) |  	files_tmp_filetrans($2,$1_tmp_t,$3) | ||||||
| @@ -5323,7 +5356,7 @@
 | @@ -5323,7 +5392,7 @@
 | ||||||
|  		attribute user_tmpfile; |  		attribute user_tmpfile; | ||||||
|  	') |  	') | ||||||
|   |   | ||||||
| @ -10249,7 +10374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  ') |  ') | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
| @@ -5548,6 +5581,26 @@
 | @@ -5548,6 +5617,26 @@
 | ||||||
|   |   | ||||||
|  ######################################## |  ######################################## | ||||||
|  ## <summary> |  ## <summary> | ||||||
| @ -10276,7 +10401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  ##	Unconfined access to user domains.  (Deprecated) |  ##	Unconfined access to user domains.  (Deprecated) | ||||||
|  ## </summary> |  ## </summary> | ||||||
|  ## <param name="domain"> |  ## <param name="domain"> | ||||||
| @@ -5559,3 +5612,124 @@
 | @@ -5559,3 +5648,173 @@
 | ||||||
|  interface(`userdom_unconfined',` |  interface(`userdom_unconfined',` | ||||||
|  	refpolicywarn(`$0($*) has been deprecated.') |  	refpolicywarn(`$0($*) has been deprecated.') | ||||||
|  ') |  ') | ||||||
| @ -10401,9 +10526,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
| +	allow $1 user_home_type:file unlink;
 | +	allow $1 user_home_type:file unlink;
 | ||||||
| +')
 | +')
 | ||||||
| +
 | +
 | ||||||
|  | +#######################################
 | ||||||
|  | +## <summary>
 | ||||||
|  | +##	The template for creating a unprivileged login user.
 | ||||||
|  | +## </summary>
 | ||||||
|  | +## <desc>
 | ||||||
|  | +##	<p>
 | ||||||
|  | +##	This template creates a user domain, types, and
 | ||||||
|  | +##	rules for the user's tty, pty, home directories,
 | ||||||
|  | +##	tmp, and tmpfs files.
 | ||||||
|  | +##	</p>
 | ||||||
|  | +## </desc>
 | ||||||
|  | +## <param name="userdomain_prefix">
 | ||||||
|  | +##	<summary>
 | ||||||
|  | +##	The prefix of the user domain (e.g., user
 | ||||||
|  | +##	is the prefix for user_t).
 | ||||||
|  | +##	</summary>
 | ||||||
|  | +## </param>
 | ||||||
|  | +#
 | ||||||
|  | +template(`userdom_unpriv_xwindows_login_user', `
 | ||||||
|  | +
 | ||||||
|  | +userdom_unpriv_login_user($1)
 | ||||||
|  | +userdom_xwindows_client_template($1)
 | ||||||
|  | +
 | ||||||
|  | +auth_exec_pam($1_t)
 | ||||||
|  | +logging_send_syslog_msg($1_t)
 | ||||||
|  | +
 | ||||||
|  | +optional_policy(`
 | ||||||
|  | +	alsa_read_rw_config($1_t)
 | ||||||
|  | +')
 | ||||||
|  | +authlogin_per_role_template($1, $1_t, $1_r)
 | ||||||
|  | +
 | ||||||
|  | +optional_policy(`
 | ||||||
|  | +	dbus_per_role_template($1, $1_t, $1_r)
 | ||||||
|  | +	dbus_system_bus_client_template($1, $1_t)
 | ||||||
|  | +	allow $1_t self:dbus send_msg;
 | ||||||
|  | +')
 | ||||||
|  | +
 | ||||||
|  | +optional_policy(`
 | ||||||
|  | +	ssh_per_role_template($1, $1_t, $1_r)
 | ||||||
|  | +')
 | ||||||
|  | +
 | ||||||
|  | +optional_policy(`
 | ||||||
|  | +	setroubleshoot_dontaudit_stream_connect($1_t)
 | ||||||
|  | +')
 | ||||||
|  | +
 | ||||||
|  | +#dev_read_rand($1_t)
 | ||||||
|  | +
 | ||||||
|  | +')
 | ||||||
|  | +')
 | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te
 | ||||||
| --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-07-03 07:06:32.000000000 -0400
 | --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-07-03 07:06:32.000000000 -0400
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/system/userdomain.te	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/system/userdomain.te	2007-07-12 10:51:56.000000000 -0400
 | ||||||
| @@ -74,6 +74,9 @@
 | @@ -74,6 +74,9 @@
 | ||||||
|  # users home directory contents |  # users home directory contents | ||||||
|  attribute home_type; |  attribute home_type; | ||||||
| @ -10477,7 +10651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	netutils_run(sysadm_t,sysadm_r,admin_terminal) |  	netutils_run(sysadm_t,sysadm_r,admin_terminal) | ||||||
|  	netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) |  	netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) | ||||||
|  	netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) |  	netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) | ||||||
| @@ -456,6 +457,9 @@
 | @@ -451,11 +452,15 @@
 | ||||||
|  |  ') | ||||||
|  |   | ||||||
|  |  optional_policy(` | ||||||
|  | +	seutil_run_setsebool(sysadm_t,sysadm_r,admin_terminal)
 | ||||||
|  |  	seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) | ||||||
|  |  	seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) | ||||||
|   |   | ||||||
|  	ifdef(`enable_mls',` |  	ifdef(`enable_mls',` | ||||||
|  		userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) |  		userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) | ||||||
| @ -10487,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo | |||||||
|  	', ` |  	', ` | ||||||
|  		userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) |  		userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) | ||||||
|  	') |  	') | ||||||
| @@ -498,3 +502,7 @@
 | @@ -498,3 +503,7 @@
 | ||||||
|  optional_policy(` |  optional_policy(` | ||||||
|  	yam_run(sysadm_t,sysadm_r,admin_terminal) |  	yam_run(sysadm_t,sysadm_r,admin_terminal) | ||||||
|  ') |  ') | ||||||
| @ -10541,135 +10721,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i | |||||||
| +## <summary>Policy for guest user</summary>
 | +## <summary>Policy for guest user</summary>
 | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te
 | ||||||
| --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
 | --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/users/guest.te	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/users/guest.te	2007-07-12 17:31:09.000000000 -0400
 | ||||||
| @@ -0,0 +1,127 @@
 | @@ -0,0 +1,5 @@
 | ||||||
| +policy_module(guest,1.0.0)
 | +policy_module(guest,1.0.0)
 | ||||||
| +
 |  | ||||||
| +define(`userdom_login_user', `
 |  | ||||||
| +	userdom_base_user_template($1)
 |  | ||||||
| +
 |  | ||||||
| +	userdom_manage_home_template($1)
 |  | ||||||
| +	userdom_exec_home_template($1)
 |  | ||||||
| +	userdom_manage_tmp_template($1)
 |  | ||||||
| +	userdom_exec_tmp_template($1)
 |  | ||||||
| +	userdom_manage_tmpfs_template($1)
 |  | ||||||
| +
 |  | ||||||
| +	userdom_change_password_template($1)
 |  | ||||||
| +
 |  | ||||||
| +	role $1_r types $1_t;
 |  | ||||||
| +	allow system_r $1_r;
 |  | ||||||
| +
 |  | ||||||
| +	application_exec_all($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	allow $1_t self:capability { setgid chown fowner };
 |  | ||||||
| +	dontaudit $1_t self:capability { sys_nice fsetid };
 |  | ||||||
| +	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
 |  | ||||||
| +	
 |  | ||||||
| +	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
 |  | ||||||
| +
 |  | ||||||
| +	##############################
 |  | ||||||
| +	#
 |  | ||||||
| +	# User domain Local policy
 |  | ||||||
| +	#
 |  | ||||||
| +
 |  | ||||||
| +	kernel_read_system_state($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	dev_read_sysfs($1_t)
 |  | ||||||
| +	dev_read_urand($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	domain_use_interactive_fds($1_t)
 |  | ||||||
| +	# Command completion can fire hundreds of denials
 |  | ||||||
| +	domain_dontaudit_exec_all_entry_files($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	# Stat lost+found.
 |  | ||||||
| +	files_getattr_lost_found_dirs($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	fs_get_all_fs_quotas($1_t)
 |  | ||||||
| +	fs_getattr_all_fs($1_t)
 |  | ||||||
| +	fs_getattr_all_dirs($1_t)
 |  | ||||||
| +	fs_search_auto_mountpoints($1_t)
 |  | ||||||
| +	fs_list_inotifyfs($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	# Stop warnings about access to /dev/console
 |  | ||||||
| +	init_dontaudit_rw_utmp($1_t)
 |  | ||||||
| +	init_dontaudit_use_fds($1_t)
 |  | ||||||
| +	init_dontaudit_use_script_fds($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	libs_exec_lib_files($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	logging_dontaudit_getattr_all_logs($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	miscfiles_read_man_pages($1_t)
 |  | ||||||
| +	# for running TeX programs
 |  | ||||||
| +	miscfiles_read_tetex_data($1_t)
 |  | ||||||
| +	miscfiles_exec_tetex_data($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	seutil_read_config($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	files_dontaudit_list_default($1_t)
 |  | ||||||
| +	files_dontaudit_read_default_files($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	tunable_policy(`user_ttyfile_stat',`
 |  | ||||||
| +		term_getattr_all_user_ttys($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	# for running depmod as part of the kernel packaging process
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		modutils_read_module_config($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		mta_rw_spool($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		nis_use_ypbind($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		nscd_socket_use($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		quota_dontaudit_getattr_db($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +
 |  | ||||||
| +	optional_policy(`
 |  | ||||||
| +		rpm_read_db($1_t)
 |  | ||||||
| +		rpm_dontaudit_manage_db($1_t)
 |  | ||||||
| +	')
 |  | ||||||
| +')
 |  | ||||||
| +
 |  | ||||||
| +define(`userdom_unpriv_login_user', `
 |  | ||||||
| +	gen_require(`
 |  | ||||||
| +		attribute unpriv_userdomain;
 |  | ||||||
| +		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 |  | ||||||
| +	')
 |  | ||||||
| +	userdom_login_user($1)
 |  | ||||||
| +	userdom_privhome_user_template($1)
 |  | ||||||
| +
 |  | ||||||
| +	typeattribute $1_t unpriv_userdomain;
 |  | ||||||
| +	
 |  | ||||||
| +	typeattribute $1_t unpriv_userdomain;
 |  | ||||||
| +	domain_interactive_fd($1_t)
 |  | ||||||
| +
 |  | ||||||
| +	typeattribute $1_devpts_t user_ptynode;
 |  | ||||||
| +	typeattribute $1_home_dir_t user_home_dir_type;
 |  | ||||||
| +	typeattribute $1_home_t user_home_type;
 |  | ||||||
| +	typeattribute $1_tmp_t user_tmpfile;
 |  | ||||||
| +	typeattribute $1_tty_device_t user_ttynode;
 |  | ||||||
| +
 |  | ||||||
| +')
 |  | ||||||
| +userdom_unpriv_login_user(guest)
 | +userdom_unpriv_login_user(guest)
 | ||||||
| +userdom_unpriv_login_user(gadmin)
 | +userdom_unpriv_login_user(gadmin)
 | ||||||
| +#userdom_basic_networking_template(guest)
 | +userdom_unpriv_xwindows_login_user(xguest)
 | ||||||
| +#kernel_read_network_state($1_t)
 | +mozilla_per_role_template(xguest, xguest_t, xguest_r)
 | ||||||
| +#kernel_read_net_sysctls($1_t)
 |  | ||||||
| +#corenet_udp_bind_all_nodes($1_t)
 |  | ||||||
| +#corenet_udp_bind_generic_port($1_t)
 |  | ||||||
| +
 |  | ||||||
| +
 |  | ||||||
| +
 |  | ||||||
| diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc
 | diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc
 | ||||||
| --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 | --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 | ||||||
| +++ serefpolicy-3.0.2/policy/modules/users/logadm.fc	2007-07-11 10:06:29.000000000 -0400
 | +++ serefpolicy-3.0.2/policy/modules/users/logadm.fc	2007-07-11 10:06:29.000000000 -0400
 | ||||||
|  | |||||||
| @ -17,7 +17,7 @@ | |||||||
| Summary: SELinux policy configuration | Summary: SELinux policy configuration | ||||||
| Name: selinux-policy | Name: selinux-policy | ||||||
| Version: 3.0.2 | Version: 3.0.2 | ||||||
| Release: 6%{?dist} | Release: 7%{?dist} | ||||||
| License: GPL | License: GPL | ||||||
| Group: System Environment/Base | Group: System Environment/Base | ||||||
| Source: serefpolicy-%{version}.tgz | Source: serefpolicy-%{version}.tgz | ||||||
| @ -356,7 +356,8 @@ exit 0 | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
| * Thu Jul 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-6 | * Thu Jul 12 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-7 | ||||||
|  | - Begin adding policy to separate setsebool from semanage | ||||||
| - Fix xserver.if definition to not break sepolgen.if | - Fix xserver.if definition to not break sepolgen.if | ||||||
| 
 | 
 | ||||||
| * Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-5 | * Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> 3.0.2-5 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user