rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Update to upstream

Browse Source
This commit is contained in:
Daniel J Walsh 2008-06-12 18:26:59 +00:00
parent af0f735167
commit 93df8504c9
1 changed files with 87 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
policy-20080509.patch
View File

@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 10:36:55.251920000 -0400 +++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 12:10:32.884486000 -0400
@@ -16,7 +16,8 @@ @@ -16,7 +16,8 @@
gen_require(` gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t; type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -26204,7 +26204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use; allow $2 xdm_t:fd use;
@@ -643,11 +623,81 @@ @@ -643,13 +623,175 @@
xserver_read_xdm_tmp_files($2) xserver_read_xdm_tmp_files($2)
@ -26246,7 +26246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ attribute x_domain; + attribute x_domain;
+ type $1_xserver_t; + type $1_xserver_t;
+# type $2_input_xevent_t; +# type $2_input_xevent_t;
') + ')
+ +
+# typeattribute $2_input_xevent_t $1_input_xevent_type; +# typeattribute $2_input_xevent_t $1_input_xevent_type;
+ +
@ -26266,10 +26266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # manage: xhost X11:ChangeHosts + # manage: xhost X11:ChangeHosts
+ # freeze: metacity X11:GrabKey + # freeze: metacity X11:GrabKey
+ # force_cursor: metacity X11:GrabPointer + # force_cursor: metacity X11:GrabPointer
+ allow $3 $1_xserver_t:x_device { manage freeze force_cursor }; + allow $3 $1_xserver_t:x_device { read manage freeze force_cursor };
+ allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell }; + allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell };
+ +
+
+ # gnome-settings-daemon XKEYBOARD:SetControls + # gnome-settings-daemon XKEYBOARD:SetControls
+ allow $3 $1_xserver_t:x_server { manage grab }; + allow $3 $1_xserver_t:x_server { manage grab };
+ +
@ -26287,13 +26286,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ +
+ # setattr: metacity X11:InstallColormap + # setattr: metacity X11:InstallColormap
+ allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr };
') +')
+
####################################### +#######################################
@@ -662,6 +712,99 @@ +## <summary>
## is the prefix for user_t). +## Interface to provide X object permissions on a given X server to
## </summary> +## an X client domain. Provides the minimal set required by a basic
## </param> +## X client application.
+## </summary>
+## <param name="user">
+## <summary>
+## The prefix of the X server domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain"> +## <param name="domain">
+## <summary> +## <summary>
+## Client domain allowed access. +## Client domain allowed access.
@ -26333,7 +26339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ type manage_xevent_t, output_xext_t, property_xevent_t; + type manage_xevent_t, output_xext_t, property_xevent_t;
+ type shmem_xext_t, xselection_t; + type shmem_xext_t, xselection_t;
+ attribute xevent_type, xextension_type; + attribute xevent_type, xextension_type;
+ ') ')
+ # can receive certain root window events + # can receive certain root window events
+ allow $2 self:x_cursor { destroy create use setattr }; + allow $2 self:x_cursor { destroy create use setattr };
+ allow $2 self:x_drawable { write getattr read destroy create add_child }; + allow $2 self:x_drawable { write getattr read destroy create add_child };
@ -26341,7 +26347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $2 self:x_resource { write read }; + allow $2 self:x_resource { write read };
+ +
+ allow $2 input_xevent_t:x_synthetic_event receive; + allow $2 input_xevent_t:x_synthetic_event receive;
+ allow $2 client_xevent_t:x_synthetic_event receive; + allow $2 client_xevent_t:x_synthetic_event { send receive };
+ allow $2 focus_xevent_t:x_event receive; + allow $2 focus_xevent_t:x_event receive;
+ allow $2 info_xproperty_t:x_property read; + allow $2 info_xproperty_t:x_property read;
+ allow $2 manage_xevent_t:x_event receive; + allow $2 manage_xevent_t:x_event receive;
@ -26372,25 +26378,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ +
+# xserver_use($1,$1,$2) +# xserver_use($1,$1,$2)
+ xserver_use(xdm,$1,$2) + xserver_use(xdm,$1,$2)
+') ')
+ +
+ #######################################
+#######################################
+## <summary>
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Provides the minimal set required by a basic
+## X client application.
+## </summary>
+## <param name="user">
+## <summary>
+## The prefix of the X server domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
## <param name="prefix">
## <summary> ## <summary>
## The prefix of the X client domain (e.g., user ## Interface to provide X object permissions on a given X server to
@@ -676,7 +819,7 @@ @@ -676,7 +818,7 @@
# #
template(`xserver_common_x_domain_template',` template(`xserver_common_x_domain_template',`
gen_require(` gen_require(`
@ -26399,7 +26393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t; type xevent_t, client_xevent_t;
@@ -685,7 +828,6 @@ @@ -685,7 +827,6 @@
attribute x_server_domain, x_domain; attribute x_server_domain, x_domain;
attribute xproperty_type; attribute xproperty_type;
attribute xevent_type, xextension_type; attribute xevent_type, xextension_type;
@ -26407,7 +26401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
class x_drawable all_x_drawable_perms; class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms; class x_screen all_x_screen_perms;
@@ -709,20 +851,22 @@ @@ -709,20 +850,22 @@
# Declarations # Declarations
# #
@ -26433,7 +26427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
############################## ##############################
# #
# Local Policy # Local Policy
@@ -740,7 +884,7 @@ @@ -740,7 +883,7 @@
allow $3 x_server_domain:x_server getattr; allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows. # everyone can do override-redirect windows.
# this could be used to spoof labels # this could be used to spoof labels
@ -26442,7 +26436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# everyone can receive management events on the root window # everyone can receive management events on the root window
# allows to know when new windows appear, among other things # allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive; allow $3 manage_xevent_t:x_event receive;
@@ -749,7 +893,7 @@ @@ -749,7 +892,7 @@
# can read server-owned resources # can read server-owned resources
allow $3 x_server_domain:x_resource read; allow $3 x_server_domain:x_resource read;
# can mess with own clients # can mess with own clients
@ -26451,7 +26445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X Protocol Extensions # X Protocol Extensions
allow $3 std_xext_t:x_extension { query use }; allow $3 std_xext_t:x_extension { query use };
@@ -758,27 +902,17 @@ @@ -758,27 +901,17 @@
# X Properties # X Properties
# can read and write client properties # can read and write client properties
@ -26484,20 +26478,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X Input # X Input
# can receive own events # can receive own events
@@ -805,6 +939,12 @@ @@ -805,6 +938,12 @@
allow $3 manage_xevent_t:x_synthetic_event send; allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send;
+ allow $3 input_xevent_t:x_event receive; + allow $3 input_xevent_t:x_event receive;
+ allow $3 input_xevent_t:x_synthetic_event send; + allow $3 input_xevent_t:x_synthetic_event send;
+ allow $3 $2_client_xevent_t:x_synthetic_event send; + allow $3 $2_client_xevent_t:x_synthetic_event send;
+ allow $3 xproperty_t:x_property read; + allow $3 xproperty_t:x_property { read destroy };
+ allow $3 xselection_t:x_selection setattr; + allow $3 xselection_t:x_selection setattr;
+ +
# X Selections # X Selections
# can use the clipboard # can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
@@ -813,13 +953,15 @@ @@ -813,13 +952,15 @@
# Other X Objects # Other X Objects
# can create and use cursors # can create and use cursors
@ -26517,7 +26511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',` tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3), # should be xserver_unconfined($3),
@@ -879,17 +1021,17 @@ @@ -879,17 +1020,17 @@
# #
template(`xserver_user_x_domain_template',` template(`xserver_user_x_domain_template',`
gen_require(` gen_require(`
@ -26542,7 +26536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use; allow $3 xdm_t:fd use;
@@ -916,11 +1058,9 @@ @@ -916,11 +1057,9 @@
# X object manager # X object manager
xserver_common_x_domain_template($1,$2,$3) xserver_common_x_domain_template($1,$2,$3)
@ -26557,7 +26551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -952,26 +1092,43 @@ @@ -952,26 +1091,43 @@
# #
template(`xserver_use_user_fonts',` template(`xserver_use_user_fonts',`
gen_require(` gen_require(`
@ -26608,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -1005,6 +1162,73 @@ @@ -1005,6 +1161,73 @@
######################################## ########################################
## <summary> ## <summary>
@ -26682,7 +26676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -1030,10 +1254,10 @@ @@ -1030,10 +1253,10 @@
# #
template(`xserver_user_home_dir_filetrans_user_xauth',` template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(` gen_require(`
@ -26695,7 +26689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1219,6 +1443,25 @@ @@ -1219,6 +1442,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -26721,7 +26715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files. ## Read xdm-writable configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1273,6 +1516,7 @@ @@ -1273,6 +1515,7 @@
files_search_tmp($1) files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms; allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -26729,7 +26723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1291,7 +1535,7 @@ @@ -1291,7 +1534,7 @@
') ')
files_search_pids($1) files_search_pids($1)
@ -26738,7 +26732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1314,6 +1558,24 @@ @@ -1314,6 +1557,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -26763,7 +26757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain. ## Execute the X server in the XDM X server domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1324,15 +1586,47 @@ @@ -1324,15 +1585,47 @@
# #
interface(`xserver_domtrans_xdm_xserver',` interface(`xserver_domtrans_xdm_xserver',`
gen_require(` gen_require(`
@ -26812,7 +26806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1482,7 +1776,7 @@ @@ -1482,7 +1775,7 @@
type xdm_xserver_tmp_t; type xdm_xserver_tmp_t;
') ')
@ -26821,7 +26815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1674,6 +1968,65 @@ @@ -1674,6 +1967,65 @@
######################################## ########################################
## <summary> ## <summary>
@ -26887,7 +26881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Interface to provide X object permissions on a given X server to ## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the ## an X client domain. Gives the domain complete control over the
## display. ## display.
@@ -1686,8 +2039,87 @@ @@ -1686,8 +2038,87 @@
# #
interface(`xserver_unconfined',` interface(`xserver_unconfined',`
gen_require(` gen_require(`
@ -30469,7 +30463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-05-19 10:26:42.000000000 -0400 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-05-19 10:26:42.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc 2008-06-12 10:36:55.473696000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc 2008-06-12 14:04:10.162698000 -0400
@@ -38,7 +38,7 @@ @@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@ -30479,6 +30473,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -46,3 +46,8 @@
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.4.2/policy/modules/system/selinuxutil.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.4.2/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-05-29 15:55:43.000000000 -0400 --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-05-29 15:55:43.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.if 2008-06-12 10:36:55.480688000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.if 2008-06-12 10:36:55.480688000 -0400
@ -30986,8 +30989,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.2/policy/modules/system/selinuxutil.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400 --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te 2008-06-12 10:36:55.485685000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te 2008-06-12 14:05:15.662484000 -0400
@@ -75,7 +75,6 @@ @@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -75,7 +78,6 @@
type restorecond_exec_t; type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t) init_daemon_domain(restorecond_t,restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t) domain_obj_id_change_exemption(restorecond_t)
@ -30995,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type restorecond_var_run_t; type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t) files_pid_file(restorecond_var_run_t)
@@ -92,6 +91,10 @@ @@ -92,6 +94,10 @@
domain_interactive_fd(semanage_t) domain_interactive_fd(semanage_t)
role system_r types semanage_t; role system_r types semanage_t;
@ -31006,7 +31019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type semanage_store_t; type semanage_store_t;
files_type(semanage_store_t) files_type(semanage_store_t)
@@ -109,6 +112,11 @@ @@ -109,6 +115,11 @@
init_system_domain(setfiles_t,setfiles_exec_t) init_system_domain(setfiles_t,setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t) domain_obj_id_change_exemption(setfiles_t)
@ -31018,7 +31031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
######################################## ########################################
# #
# Checkpolicy local policy # Checkpolicy local policy
@@ -168,6 +176,7 @@ @@ -168,6 +179,7 @@
files_read_etc_runtime_files(load_policy_t) files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t) fs_getattr_xattr_fs(load_policy_t)
@ -31026,7 +31039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
mls_file_read_all_levels(load_policy_t) mls_file_read_all_levels(load_policy_t)
@@ -195,15 +204,6 @@ @@ -195,15 +207,6 @@
') ')
') ')
@ -31042,7 +31055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
######################################## ########################################
# #
# Newrole local policy # Newrole local policy
@@ -221,7 +221,7 @@ @@ -221,7 +224,7 @@
allow newrole_t self:msg { send receive }; allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -31051,7 +31064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t,default_context_t,default_context_t) read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
@@ -277,6 +277,7 @@ @@ -277,6 +280,7 @@
libs_use_ld_so(newrole_t) libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t) libs_use_shared_libs(newrole_t)
@ -31059,7 +31072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
logging_send_syslog_msg(newrole_t) logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
@@ -347,6 +348,8 @@ @@ -347,6 +351,8 @@
seutil_libselinux_linked(restorecond_t) seutil_libselinux_linked(restorecond_t)
@ -31068,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
ifdef(`distro_ubuntu',` ifdef(`distro_ubuntu',`
optional_policy(` optional_policy(`
unconfined_domain(restorecond_t) unconfined_domain(restorecond_t)
@@ -365,7 +368,7 @@ @@ -365,7 +371,7 @@
allow run_init_t self:process setexec; allow run_init_t self:process setexec;
allow run_init_t self:capability setuid; allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms; allow run_init_t self:fifo_file rw_file_perms;
@ -31077,7 +31090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned # often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit # by a different user or has restrictive SE permissions, do not want to audit
@@ -396,7 +399,6 @@ @@ -396,7 +402,6 @@
auth_use_nsswitch(run_init_t) auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t) auth_domtrans_chk_passwd(run_init_t)
@ -31085,7 +31098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t) auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t) init_spec_domtrans_script(run_init_t)
@@ -435,64 +437,17 @@ @@ -435,64 +440,22 @@
# semodule local policy # semodule local policy
# #
@ -31104,9 +31117,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-kernel_read_kernel_sysctls(semanage_t) -kernel_read_kernel_sysctls(semanage_t)
- -
-corecmd_exec_bin(semanage_t) -corecmd_exec_bin(semanage_t)
- +seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-dev_read_urand(semanage_t) -dev_read_urand(semanage_t)
- +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-domain_use_interactive_fds(semanage_t) -domain_use_interactive_fds(semanage_t)
- -
-files_read_etc_files(semanage_t) -files_read_etc_files(semanage_t)
@ -31121,7 +31138,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
-selinux_get_enforce_mode(semanage_t) -selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t) -selinux_getattr_fs(semanage_t)
-# for setsebool: -# for setsebool:
+seutil_semanage_policy(semanage_t)
selinux_set_boolean(semanage_t) selinux_set_boolean(semanage_t)
+can_exec(semanage_t, semanage_exec_t) +can_exec(semanage_t, semanage_exec_t)
@ -31155,7 +31171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts: # netfilter_contexts:
seutil_manage_default_contexts(semanage_t) seutil_manage_default_contexts(semanage_t)
@@ -501,12 +456,21 @@ @@ -501,12 +464,21 @@
files_read_var_lib_symlinks(semanage_t) files_read_var_lib_symlinks(semanage_t)
') ')
@ -31177,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this: # cjp: need a more general way to handle this:
ifdef(`enable_mls',` ifdef(`enable_mls',`
# read secadm tmp files # read secadm tmp files
@@ -514,121 +478,40 @@ @@ -514,121 +486,40 @@
# Handle pp files created in homedir and /tmp # Handle pp files created in homedir and /tmp
sysadm_read_home_content_files(semanage_t) sysadm_read_home_content_files(semanage_t)
sysadm_read_tmp_files(semanage_t) sysadm_read_tmp_files(semanage_t)