From 93727e3fd2b4a308ff2533b23dac54ff962bdf5d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 17 Jan 2006 17:50:10 +0000 Subject: [PATCH] patch from dan 1/16/06 --- refpolicy/man/man8/ftpd_selinux.8 | 4 +-- refpolicy/policy/modules/admin/kudzu.te | 3 +- refpolicy/policy/modules/admin/readahead.te | 4 ++- refpolicy/policy/modules/apps/java.fc | 1 + refpolicy/policy/modules/kernel/devices.if | 16 +++++++++ refpolicy/policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++ refpolicy/policy/modules/kernel/mls.te | 4 ++- refpolicy/policy/modules/services/apache.te | 6 +++- refpolicy/policy/modules/services/apm.te | 3 +- .../policy/modules/services/automount.te | 3 +- refpolicy/policy/modules/services/cron.te | 4 +-- refpolicy/policy/modules/services/cups.te | 8 ++--- refpolicy/policy/modules/services/hal.te | 11 ++++-- refpolicy/policy/modules/services/mta.te | 4 ++- refpolicy/policy/modules/services/sendmail.te | 4 ++- refpolicy/policy/modules/system/authlogin.if | 13 +++++++ refpolicy/policy/modules/system/authlogin.te | 14 +++----- refpolicy/policy/modules/system/hostname.te | 30 +--------------- refpolicy/policy/modules/system/init.te | 3 +- refpolicy/policy/modules/system/libraries.fc | 2 +- refpolicy/policy/modules/system/logging.te | 8 +++-- refpolicy/policy/modules/system/lvm.te | 11 ++---- refpolicy/policy/modules/system/mount.te | 5 +-- .../policy/modules/system/selinuxutil.te | 4 ++- refpolicy/policy/modules/system/unconfined.if | 1 + refpolicy/policy/modules/system/userdomain.if | 1 + refpolicy/policy/modules/system/userdomain.te | 2 +- 27 files changed, 131 insertions(+), 74 deletions(-) diff --git a/refpolicy/man/man8/ftpd_selinux.8 b/refpolicy/man/man8/ftpd_selinux.8 index 4ce159a2..017b212b 100644 --- a/refpolicy/man/man8/ftpd_selinux.8 +++ b/refpolicy/man/man8/ftpd_selinux.8 @@ -16,9 +16,9 @@ If you want to setup a directory where you can upload files to you must label th .TP chcon -t public_content_rw_t /var/ftp/incoming .TP -You must also turn on the boolean allow_ftp_anon_write. +You must also turn on the boolean allow_ftpd_anon_write. .TP -setsebool -P allow_ftp_anon_write=1 +setsebool -P allow_ftpd_anon_write=1 .TP If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. .TP diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 3fbcee30..b4fa3abb 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -1,5 +1,5 @@ -policy_module(kudzu,1.0.1) +policy_module(kudzu,1.0.2) ######################################## # @@ -63,6 +63,7 @@ fs_search_ramfs(kudzu_t) fs_write_ramfs_socket(kudzu_t) mls_file_read_up(kudzu_t) +mls_file_write_down(kudzu_t) modutils_read_mods_deps(kudzu_t) modutils_read_module_conf(kudzu_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 2bf7ddfd..092b49c8 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -1,5 +1,5 @@ -policy_module(readahead,1.0.1) +policy_module(readahead,1.0.2) ######################################## # @@ -35,6 +35,7 @@ dev_getattr_generic_blk_file(readahead_t) dev_getattr_all_chr_files(readahead_t) dev_getattr_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t) +dev_dontaudit_getattr_memory_dev(readahead_t) domain_use_wide_inherit_fd(readahead_t) @@ -46,6 +47,7 @@ fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) fs_getattr_all_pipes(readahead_t) fs_getattr_all_files(readahead_t) +fs_search_ramfs(readahead_t) term_dontaudit_use_console(readahead_t) diff --git a/refpolicy/policy/modules/apps/java.fc b/refpolicy/policy/modules/apps/java.fc index 8d6f96cf..782c8abf 100644 --- a/refpolicy/policy/modules/apps/java.fc +++ b/refpolicy/policy/modules/apps/java.fc @@ -2,3 +2,4 @@ # /usr # /usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 7f65d383..8c5d3726 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1133,6 +1133,22 @@ interface(`dev_delete_lvm_control',` allow $1 lvm_control_t:chr_file unlink; ') +######################################## +## +## dontaudit getattr raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## +# +interface(`dev_dontaudit_getattr_memory_dev',` + gen_require(` + type memory_device_t; + ') + + dontaudit $1 memory_device_t:chr_file getattr; +') + ######################################## ## ## Read raw memory devices (e.g. /dev/mem). diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index ccf9265b..4eb4cee9 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -952,6 +952,23 @@ interface(`fs_relabelfrom_dos_fs',` allow $1 dosfs_t:filesystem relabelfrom; ') +######################################## +## +## Read eventpollfs files +## +## +## Domain allowed access. +## +# +interface(`fs_read_eventpollfs',` + gen_require(` + type eventpollfs_t; + ') + + allow $1 eventpollfs_t:dir search_dir_perms; + allow $1 eventpollfs_t:file r_file_perms; +') + ######################################## ## ## Mount an iso9660 filesystem, which @@ -2280,6 +2297,25 @@ interface(`fs_use_tmpfs_chr_dev',` allow $1 tmpfs_t:chr_file rw_file_perms; ') +######################################## +## +## dontaudit Read and write character nodes on tmpfs filesystems. +## +## +## The type of the process performing this action. +## +# +interface(`fs_dontaudit_use_tmpfs_chr_dev',` + gen_require(` + type tmpfs_t; + class dir r_dir_perms; + class chr_file rw_file_perms; + ') + + dontaudit $1 tmpfs_t:dir r_dir_perms; + dontaudit $1 tmpfs_t:chr_file rw_file_perms; +') + ######################################## ## ## Relabel character nodes on tmpfs filesystems. diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te index 1186c59e..46e68e97 100644 --- a/refpolicy/policy/modules/kernel/mls.te +++ b/refpolicy/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.1.2) +policy_module(mls,1.1.3) ######################################## # @@ -55,6 +55,7 @@ attribute mlsrangetrans; # temporarily have to break encapsulation to work around this. # +type auditd_exec_t; type crond_exec_t; type cupsd_exec_t; type getty_t; @@ -87,4 +88,5 @@ range_transition unconfined_t initrc_exec_t s0; ifdef(`enable_mls',` # run init with maximum MLS range range_transition kernel_t init_exec_t s0 - s15:c0.c255; +range_transition initrc_t auditd_exec_t s15:c0.c255; ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index a0cb9e7b..8e62ea2a 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.1.3) +policy_module(apache,1.1.4) # # NOTES: @@ -690,6 +690,10 @@ optional_policy(`mysql',` unconfined_domain_template(httpd_unconfined_script_t) +optional_policy(`cron',` + cron_system_entry(httpd_t, httpd_exec_t) +') + optional_policy(`nscd',` nscd_use_socket(httpd_unconfined_script_t) ') diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 7297b2e9..4064a402 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm,1.1.1) +policy_module(apm,1.1.2) ######################################## # @@ -196,6 +196,7 @@ optional_policy(`clock',` ') optional_policy(`cron',` + cron_system_entry(apmd_t, apmd_exec_t) cron_domtrans_anacron_system_job(apmd_t) ') diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index bf22d32d..e99181ba 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.0.4) +policy_module(automount,1.0.5) ######################################## # @@ -108,6 +108,7 @@ fs_search_auto_mountpoints(automount_t) fs_manage_auto_mountpoints(automount_t) term_dontaudit_use_console(automount_t) +term_dontaudit_getattr_pty_dir(automount_t) init_use_fd(automount_t) init_use_script_pty(automount_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index e7355002..9962896f 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.1.4) +policy_module(cron,1.1.5) gen_require(` class passwd rootok; @@ -120,7 +120,7 @@ files_search_default(crond_t) init_use_fd(crond_t) init_use_script_pty(crond_t) -init_read_script_pid(crond_t) +init_rw_script_pid(crond_t) libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 6875f0ec..be621686 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.1.1) +policy_module(cups,1.1.2) ######################################## # @@ -201,8 +201,7 @@ ifdef(`targeted_policy',` ') optional_policy(`cron',` - cron_use_fd(cupsd_t) - cron_read_pipe(cupsd_t) + cron_system_entry(cupsd_t, cupsd_exec_t) ') optional_policy(`dbus',` @@ -580,8 +579,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`cron',` - cron_use_system_job_fd(cupsd_config_t) - cron_read_pipe(cupsd_config_t) + cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') optional_policy(`dbus',` diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 93199de1..f020aa40 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.1.5) +policy_module(hal,1.1.6) ######################################## # @@ -50,6 +50,8 @@ kernel_read_kernel_sysctl(hald_t) kernel_read_fs_sysctl(hald_t) kernel_write_proc_file(hald_t) +bootloader_getattr_boot_dir(hald_t) + corecmd_exec_bin(hald_t) corecmd_exec_sbin(hald_t) @@ -82,8 +84,8 @@ domain_exec_all_entry_files(hald_t) files_exec_etc_files(hald_t) files_read_etc_files(hald_t) files_rw_etc_runtime_files(hald_t) -files_search_mnt(hald_t) files_manage_mnt_dirs(hald_t) +files_manage_mnt_files(hald_t) files_search_var_lib(hald_t) files_read_usr_files(hald_t) # hal is now execing pm-suspend @@ -145,6 +147,10 @@ optional_policy(`apm',` apm_stream_connect(hald_t) ') +optional_policy(`bind',` + bind_search_cache(hald_t) +') + optional_policy(`clock',` clock_domtrans(hald_t) ') @@ -158,6 +164,7 @@ optional_policy(`dbus',` dbus_system_bus_client_template(hald,hald_t) dbus_send_system_bus_msg(hald_t) dbus_connect_system_bus(hald_t) + allow hald_t self:dbus send_msg; init_dbus_chat_script(hald_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index b569efc6..cab30228 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -1,5 +1,5 @@ -policy_module(mta,1.1.3) +policy_module(mta,1.1.4) ######################################## # @@ -53,6 +53,8 @@ kernel_read_network_state(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) +fs_read_eventpollfs(system_mail_t) + init_use_script_pty(system_mail_t) userdom_use_sysadm_terms(system_mail_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 2a00b44c..edaf2930 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -1,5 +1,5 @@ -policy_module(sendmail,1.1.1) +policy_module(sendmail,1.1.2) ######################################## # @@ -31,6 +31,7 @@ allow sendmail_t self:fifo_file rw_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:tcp_socket create_stream_socket_perms; +allow sendmail_t self:udp_socket create_socket_perms; allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; @@ -92,6 +93,7 @@ sysnet_read_config(sendmail_t) userdom_dontaudit_use_unpriv_user_fd(sendmail_t) userdom_dontaudit_search_sysadm_home_dir(sendmail_t) +mta_read_config(sendmail_t) mta_filetrans_etc_aliases(sendmail_t) # Write to /etc/aliases and /etc/mail. mta_rw_aliases(sendmail_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 02b91c17..fca83333 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -918,6 +918,19 @@ interface(`auth_dontaudit_exec_utempter',` dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; ') +####################################### +# +# auth_setattr_login_records(domain) +# +interface(`auth_setattr_login_records',` + gen_require(` + type wtmp_t; + ') + + allow $1 wtmp_t:file setattr; + logging_search_logs($1) +') + ####################################### # # auth_read_login_records(domain) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 920a183c..8c66d9e5 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.1.1) +policy_module(authlogin,1.1.2) ######################################## # @@ -129,14 +129,6 @@ optional_policy(`nscd',` nscd_use_socket(pam_t) ') -ifdef(`TODO',` -ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') -# Supress xdm denial -ifdef(`xdm.te', ` -dontaudit pam_t xdm_t:fd use; -') dnl ifdef -') dnl endif TODO - ######################################## # # PAM console local policy @@ -229,6 +221,10 @@ ifdef(`targeted_policy', ` files_dontaudit_read_root_file(pam_console_t) ') +optional_policy(`alsa',` + alsa_domtrans(pam_console_t) +') + optional_policy(`gpm',` gpm_getattr_gpmctl(pam_console_t) gpm_setattr_gpmctl(pam_console_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index bfc5fdbb..35ae3448 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -29,6 +29,7 @@ dev_read_sysfs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) +fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) term_use_all_user_ttys(hostname_t) @@ -55,35 +56,6 @@ miscfiles_read_localization(hostname_t) sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) -userdom_use_all_user_fd(hostname_t) -ifdef(`distro_redhat', ` - fs_use_tmpfs_chr_dev(hostname_t) -') -ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_tty(hostname_t) - term_dontaudit_use_generic_pty(hostname_t) - files_dontaudit_read_root_file(hostname_t) -') -optional_policy(`firstboot',` - firstboot_use_fd(hostname_t) -') - -optional_policy(`hotplug',` - hotplug_dontaudit_use_fd(hostname_t) -') - -optional_policy(`nscd',` - nscd_use_socket(hostname_t) -') - -optional_policy(`selinuxutil',` - seutil_sigchld_newrole(hostname_t) -') - -optional_policy(`udev',` - udev_dontaudit_use_fd(hostname_t) - udev_read_db(hostname_t) -') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 062a7b4b..4a104201 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.1.4) +policy_module(init,1.1.5) gen_require(` class passwd rootok; @@ -298,6 +298,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) +auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc index a3a3128b..28c4f03a 100644 --- a/refpolicy/policy/modules/system/libraries.fc +++ b/refpolicy/policy/modules/system/libraries.fc @@ -158,7 +158,7 @@ ifdef(`distro_redhat',` # Flash plugin, Macromedia HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index fc66ecfa..2f5f22a2 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.1.1) +policy_module(logging,1.1.2) ######################################## # @@ -20,7 +20,11 @@ type auditd_log_t; files_security_file(auditd_log_t) type auditd_t; -type auditd_exec_t; +# real declaration moved to mls until +# range_transition works in loadable modules +gen_require(` + type auditd_exec_t; +') init_daemon_domain(auditd_t,auditd_exec_t) type auditd_var_run_t; diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 6bf26465..ea4ac9c7 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -1,5 +1,5 @@ -policy_module(lvm,1.1.0) +policy_module(lvm,1.1.1) ######################################## # @@ -209,6 +209,7 @@ storage_create_fixed_disk(lvm_t) storage_manage_fixed_disk(lvm_t) term_dontaudit_getattr_all_user_ttys(lvm_t) +term_dontaudit_getattr_pty_dir(lvm_t) corecmd_search_sbin(lvm_t) corecmd_dontaudit_getattr_sbin_file(lvm_t) @@ -259,11 +260,3 @@ optional_policy(`gpm',` optional_policy(`udev',` udev_read_db(lvm_t) ') - -ifdef(`TODO',` -# it has no reason to need this -allow lvm_t var_t:dir { search getattr }; -allow lvm_t ramfs_t:filesystem unmount; - -dontaudit lvm_t xconsole_device_t:fifo_file getattr; -') dnl end TODO diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 2197e829..79e9c1de 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -1,5 +1,5 @@ -policy_module(mount,1.1.2) +policy_module(mount,1.1.3) ######################################## # @@ -32,6 +32,7 @@ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_rw_lvm_control(mount_t) storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) @@ -46,7 +47,7 @@ fs_relabelfrom_all_fs(mount_t) fs_search_auto_mountpoints(mount_t) fs_use_tmpfs_chr_dev(mount_t) -term_use_console(mount_t) +term_use_all_terms(mount_t) # required for mount.smbfs corecmd_exec_sbin(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 8f1d53f9..97c60aa8 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.0.2) +policy_module(selinuxutil,1.0.3) gen_require(` bool secure_mode; @@ -316,6 +316,7 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') # allow restorecon_t self:capability { dac_override dac_read_search fowner }; +allow restorecon_t self:fifo_file rw_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; @@ -469,6 +470,7 @@ ifdef(`distro_gentoo', ` # allow setfiles_t self:capability { dac_override dac_read_search fowner }; +allow setfiles_t self:fifo_file rw_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 45f5d7dc..59fe0092 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -33,6 +33,7 @@ template(`unconfined_domain_template',` corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) + domain_dontaudit_read_all_domains_state($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 6b518989..a19ab644 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -111,6 +111,7 @@ template(`base_user_template',` allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto }; allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto }; type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t; + files_search_home($1_t) can_exec($1_t,$1_tmp_t) diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index a4a0801d..2e794796 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.1.5) +policy_module(userdomain,1.1.6) gen_require(` role sysadm_r, staff_r, user_r, secadm_r;