From 99873745bf47d964867baa409baf6979f1b0648c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 30 Sep 2008 14:39:16 +0000 Subject: [PATCH] - Change all user tmpfs_t files to be labeled user_tmpfs_t - Allow radiusd to create sock_files --- policy-20080710.patch | 659 +++++++++++++++++++++++++----------------- selinux-policy.spec | 23 +- 2 files changed, 415 insertions(+), 267 deletions(-) diff --git a/policy-20080710.patch b/policy-20080710.patch index 29d84f6e..d81e4546 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -4417,8 +4417,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.9/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-25 08:33:18.000000000 -0400 -@@ -0,0 +1,293 @@ ++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-29 10:47:02.000000000 -0400 +@@ -0,0 +1,290 @@ + +## policy for nsplugin + @@ -4500,7 +4500,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type nsplugin_home_t; + type nsplugin_exec_t; + type nsplugin_config_exec_t; -+ type $1_tmpfs_t; + type nsplugin_t; + type nsplugin_config_t; + ') @@ -4534,8 +4533,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) + gnome_stream_connect(nsplugin_t, $2) + -+ allow nsplugin_t $1_tmpfs_t:file { read getattr }; -+ + userdom_use_user_terminals($1, nsplugin_t) + userdom_use_user_terminals($1, nsplugin_config_t) + @@ -4714,7 +4711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.9/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-29 11:06:29.000000000 -0400 @@ -0,0 +1,234 @@ + +policy_module(nsplugin, 1.0.0) @@ -4784,6 +4781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) +unprivuser_dontaudit_write_home_content_files(nsplugin_t) ++userdom_manage_tmpfs(nsplugin_t) + +corecmd_exec_bin(nsplugin_t) +corecmd_exec_shell(nsplugin_t) @@ -4814,7 +4812,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_config_files(nsplugin_t) + +fs_list_inotifyfs(nsplugin_t) -+fs_manage_tmpfs_files(nsplugin_t) +fs_getattr_tmpfs(nsplugin_t) +fs_getattr_xattr_fs(nsplugin_t) + @@ -8796,7 +8793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -8929,7 +8926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:dir search_dir_perms; - dontaudit $1 sysadm_home_t:file read_file_perms; -+ dontaudit $1 admin_home_t:dir search_dir_perms; ++ dontaudit $1 admin_home_t:dir list_dir_perms; + dontaudit $1 admin_home_t:file read_file_perms; + ') @@ -12477,8 +12474,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.9/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-25 08:33:18.000000000 -0400 -@@ -1,20 +1,21 @@ ++++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-29 13:12:08.000000000 -0400 +@@ -1,20 +1,22 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -12497,6 +12494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) ++/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) @@ -13547,8 +13545,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-25 08:33:18.000000000 -0400 -@@ -8,24 +8,31 @@ ++++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-30 10:27:16.000000000 -0400 +@@ -8,24 +8,33 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13556,6 +13554,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) ++ ++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) @@ -13583,7 +13583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +40,7 @@ +@@ -33,7 +42,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13592,7 +13592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +50,20 @@ +@@ -43,10 +52,20 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) @@ -13744,18 +13744,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.9/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-25 08:33:18.000000000 -0400 -@@ -20,6 +20,9 @@ ++++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-29 14:52:28.000000000 -0400 +@@ -20,6 +20,12 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) +type cupsd_initrc_exec_t; +init_script_file(cupsd_initrc_exec_t) ++ ++type cupsd_interface_t; ++files_type(cupsd_interface_t) + type cupsd_rw_etc_t; files_config_file(cupsd_rw_etc_t) -@@ -48,6 +51,10 @@ +@@ -48,6 +54,10 @@ type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) @@ -13766,7 +13769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type hplip_etc_t; files_config_file(hplip_etc_t) -@@ -65,6 +72,16 @@ +@@ -65,6 +75,16 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) @@ -13783,7 +13786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') -@@ -79,13 +96,14 @@ +@@ -79,13 +99,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -13801,7 +13804,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -104,7 +122,7 @@ +@@ -97,6 +118,9 @@ + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + files_search_etc(cupsd_t) + ++manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) ++can_exec(cupsd_t, cupsd_interface_t) ++ + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +@@ -104,7 +128,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -13810,7 +13823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) -@@ -116,13 +134,20 @@ +@@ -116,13 +140,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -13833,7 +13846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +174,49 @@ +@@ -149,44 +180,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -13888,7 +13901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +225,16 @@ +@@ -195,15 +231,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -13909,7 +13922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +250,22 @@ +@@ -219,17 +256,22 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -13934,7 +13947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -246,8 +282,16 @@ +@@ -246,8 +288,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -13951,7 +13964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -263,6 +307,10 @@ +@@ -263,6 +313,10 @@ ') optional_policy(` @@ -13962,7 +13975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -281,7 +329,7 @@ +@@ -281,7 +335,7 @@ # Cups configuration daemon local policy # @@ -13971,7 +13984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -326,6 +374,7 @@ +@@ -326,6 +380,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -13979,7 +13992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -343,7 +392,7 @@ +@@ -343,7 +398,7 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -13988,7 +14001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_config_t) -@@ -353,6 +402,7 @@ +@@ -353,6 +408,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -13996,7 +14009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -365,14 +415,16 @@ +@@ -365,14 +421,16 @@ sysadm_dontaudit_search_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` @@ -14015,7 +14028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +440,7 @@ +@@ -388,6 +446,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -14023,7 +14036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +553,7 @@ +@@ -500,7 +559,7 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -14032,7 +14045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -509,6 +562,8 @@ +@@ -509,6 +568,8 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14041,7 +14054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +593,8 @@ +@@ -538,7 +599,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -14051,7 +14064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +620,14 @@ +@@ -564,12 +626,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -14067,7 +14080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +709,45 @@ +@@ -651,3 +715,45 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -15210,7 +15223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.9/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/dnsmasq.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/dnsmasq.if 2008-09-30 09:59:17.000000000 -0400 @@ -1 +1,117 @@ ## dnsmasq DNS forwarder and DHCP server + @@ -15279,7 +15292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# @@ -18671,7 +18684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.9/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 15:14:50.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-30 10:18:26.000000000 -0400 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -18730,11 +18743,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -128,14 +136,18 @@ - # in /etc created by NetworkManager will be labelled net_conf_t. - sysnet_manage_config(NetworkManager_t) - sysnet_etc_filetrans_config(NetworkManager_t) +@@ -119,23 +127,27 @@ + + seutil_read_config(NetworkManager_t) + +-sysnet_domtrans_ifconfig(NetworkManager_t) ++sysnet_etc_filetrans_config(NetworkManager_t) ++sysnet_delete_dhcpc_pid(NetworkManager_t) + sysnet_domtrans_dhcpc(NetworkManager_t) +-sysnet_signal_dhcpc(NetworkManager_t) ++sysnet_domtrans_ifconfig(NetworkManager_t) ++sysnet_kill_dhcpc(NetworkManager_t) ++sysnet_manage_config(NetworkManager_t) +sysnet_read_dhcp_config(NetworkManager_t) + sysnet_read_dhcpc_pid(NetworkManager_t) +-sysnet_delete_dhcpc_pid(NetworkManager_t) + sysnet_search_dhcp_state(NetworkManager_t) +-# in /etc created by NetworkManager will be labelled net_conf_t. +-sysnet_manage_config(NetworkManager_t) +-sysnet_etc_filetrans_config(NetworkManager_t) ++sysnet_signal_dhcpc(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) @@ -18749,7 +18777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) -@@ -151,21 +163,26 @@ +@@ -151,21 +163,32 @@ ') optional_policy(` @@ -18760,6 +18788,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - howl_signal(NetworkManager_t) ++ dnsmasq_initrc_domtrans(NetworkManager_t) ++ dnsmasq_signal(NetworkManager_t) ++ dnsmasq_sigkill(NetworkManager_t) ++') ++ ++optional_policy(` + hal_write_log(NetworkManager_t) ') @@ -18781,13 +18815,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -174,9 +191,17 @@ +@@ -174,9 +197,18 @@ ') optional_policy(` - ppp_domtrans(NetworkManager_t) + ppp_initrc_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ++ ppp_sigkill(NetworkManager_t) ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) @@ -20306,7 +20341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.9/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/postfix.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/postfix.te 2008-09-29 15:12:34.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -20331,10 +20366,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_exec_t; application_executable_file(postfix_exec_t) -@@ -27,6 +35,10 @@ +@@ -27,6 +35,12 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) ++sysadm_read_home_content_files(postfix_local_t) ++ +tunable_policy(`allow_postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') @@ -20342,7 +20379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) -@@ -34,6 +46,7 @@ +@@ -34,6 +48,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) @@ -20350,7 +20387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -80,13 +93,12 @@ +@@ -80,13 +95,12 @@ type postfix_public_t; files_type(postfix_public_t) @@ -20367,7 +20404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_server_domain_template(virtual) mta_mailserver_delivery(postfix_virtual_t) -@@ -103,14 +115,12 @@ +@@ -103,14 +117,12 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -20383,7 +20420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; allow postfix_master_t postfix_postdrop_exec_t:file getattr; -@@ -129,6 +139,10 @@ +@@ -129,6 +141,10 @@ domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) @@ -20394,7 +20431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow access to deferred queue and allow removing bogus incoming entries manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) -@@ -142,6 +156,7 @@ +@@ -142,6 +158,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -20402,7 +20439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -181,12 +196,17 @@ +@@ -181,12 +198,17 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -20420,7 +20457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for postalias mailman_manage_data_files(postfix_master_t) ') -@@ -196,6 +216,10 @@ +@@ -196,6 +218,10 @@ ') optional_policy(` @@ -20431,7 +20468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sendmail_signal(postfix_master_t) ') -@@ -255,6 +279,10 @@ +@@ -255,6 +281,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -20442,7 +20479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -280,18 +308,25 @@ +@@ -280,18 +310,25 @@ files_read_etc_files(postfix_local_t) @@ -20468,7 +20505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -302,8 +337,7 @@ +@@ -302,8 +339,7 @@ # # Postfix map local policy # @@ -20478,7 +20515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -353,8 +387,6 @@ +@@ -353,8 +389,6 @@ miscfiles_read_localization(postfix_map_t) @@ -20487,7 +20524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -367,6 +399,11 @@ +@@ -367,6 +401,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -20499,7 +20536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -391,6 +428,7 @@ +@@ -391,6 +430,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -20507,7 +20544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -398,6 +436,12 @@ +@@ -398,6 +438,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -20520,7 +20557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -407,6 +451,14 @@ +@@ -407,6 +453,14 @@ ') optional_policy(` @@ -20535,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -443,8 +495,11 @@ +@@ -443,8 +497,11 @@ ') optional_policy(` @@ -20549,7 +20586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -470,6 +525,15 @@ +@@ -470,6 +527,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -20565,7 +20602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -553,6 +617,10 @@ +@@ -553,6 +619,10 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -20576,7 +20613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -579,7 +647,7 @@ +@@ -579,7 +649,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -20942,8 +20979,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.9/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/ppp.if 2008-09-25 08:33:18.000000000 -0400 -@@ -310,6 +310,24 @@ ++++ serefpolicy-3.5.9/policy/modules/services/ppp.if 2008-09-30 10:18:46.000000000 -0400 +@@ -58,6 +58,25 @@ + + ######################################## + ## ++## Send ppp a sigkill ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`ppp_sigkill',` ++ gen_require(` ++ type pppd_t; ++ ') ++ ++ allow $1 pppd_t:process sigkill; ++') ++ ++######################################## ++## + ## Send a generic signal to PPP. + ## + ## +@@ -310,6 +329,24 @@ ######################################## ## @@ -20968,7 +21031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ppp environment ## -@@ -327,33 +345,42 @@ +@@ -327,33 +364,42 @@ type pppd_etc_rw_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; @@ -21912,7 +21975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.9/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/radius.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/radius.te 2008-09-29 11:01:06.000000000 -0400 @@ -16,6 +16,9 @@ type radiusd_etc_rw_t; files_type(radiusd_etc_rw_t) @@ -21937,7 +22000,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow radiusd_t radiusd_etc_t:dir list_dir_perms; read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t) -@@ -80,15 +82,14 @@ +@@ -57,8 +59,9 @@ + + manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) + ++manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +-files_pid_filetrans(radiusd_t, radiusd_var_run_t, file) ++files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) + + kernel_read_kernel_sysctls(radiusd_t) + kernel_read_system_state(radiusd_t) +@@ -80,15 +83,14 @@ corenet_udp_bind_generic_port(radiusd_t) corenet_dontaudit_udp_bind_all_ports(radiusd_t) corenet_sendrecv_generic_server_packets(radiusd_t) @@ -21955,7 +22029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) -@@ -98,6 +99,10 @@ +@@ -98,6 +100,10 @@ files_read_etc_files(radiusd_t) files_read_etc_runtime_files(radiusd_t) @@ -21966,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(radiusd_t) libs_use_shared_libs(radiusd_t) libs_exec_lib_files(radiusd_t) -@@ -107,8 +112,6 @@ +@@ -107,8 +113,6 @@ miscfiles_read_localization(radiusd_t) miscfiles_read_certs(radiusd_t) @@ -21975,7 +22049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(radiusd_t) sysadm_dontaudit_search_home_dirs(radiusd_t) -@@ -123,7 +126,8 @@ +@@ -123,7 +127,8 @@ ') optional_policy(` @@ -25288,7 +25362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.9/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/ssh.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/ssh.if 2008-09-29 15:10:35.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25468,9 +25542,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -479,6 +492,10 @@ +@@ -478,7 +491,12 @@ + corenet_udp_bind_all_nodes($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) ++ corenet_tcp_bind_all_unreserved_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) @@ -25479,7 +25555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +523,14 @@ +@@ -506,9 +524,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -25494,7 +25570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +539,7 @@ +@@ -517,11 +540,7 @@ optional_policy(` kerberos_use($1_t) @@ -25507,7 +25583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -710,3 +728,22 @@ +@@ -710,3 +729,22 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -26145,7 +26221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.9/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/xserver.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/xserver.if 2008-09-26 13:06:46.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26154,7 +26230,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol attribute x_server_domain; class x_drawable all_x_drawable_perms; class x_colormap all_x_colormap_perms; -@@ -128,18 +129,24 @@ +@@ -77,6 +78,9 @@ + files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) + + filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) ++ ifdef(`enable_mls',` ++ range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh; ++ ') + + manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) + manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) +@@ -95,6 +99,9 @@ + + # Labeling rules for default windows and colormaps + type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t; ++ ifdef(`enable_mls',` ++ range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh; ++ ') + + kernel_read_system_state($1_xserver_t) + kernel_read_device_sysctls($1_xserver_t) +@@ -128,18 +135,24 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -26181,7 +26277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -153,7 +160,8 @@ +@@ -153,7 +166,8 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -26191,7 +26287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context($1_xserver_t) selinux_compute_access_vector($1_xserver_t) -@@ -163,6 +171,9 @@ +@@ -163,6 +177,9 @@ init_getpgid($1_xserver_t) @@ -26201,7 +26297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -270,6 +281,8 @@ +@@ -270,6 +287,8 @@ gen_require(` type iceauth_exec_t, xauth_exec_t; attribute fonts_type, fonts_cache_type, fonts_config_type; @@ -26210,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -280,61 +293,41 @@ +@@ -280,61 +299,41 @@ xserver_common_domain_template($1) role $3 types $1_xserver_t; @@ -26243,12 +26339,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type; - files_poly_member($1_xauth_home_t) - userdom_user_home_content($1, $1_xauth_home_t) +- +- type $1_xauth_tmp_t; +- files_tmp_file($1_xauth_tmp_t) + typealias iceauth_home_t alias $1_iceauth_rw_t; + typealias iceauth_home_t alias $1_iceauth_home_t; -- type $1_xauth_tmp_t; -- files_tmp_file($1_xauth_tmp_t) -- - ############################## - # - # $1_xserver_t Local policy @@ -26291,7 +26387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t) -@@ -348,85 +341,32 @@ +@@ -348,85 +347,32 @@ locallogin_use_fds($1_xserver_t) @@ -26360,13 +26456,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - # cjp: why? - term_use_ptmx($1_xauth_t) -- ++ ps_process_pattern($2,xauth_t) + - auth_use_nsswitch($1_xauth_t) - - libs_use_ld_so($1_xauth_t) - libs_use_shared_libs($1_xauth_t) -+ ps_process_pattern($2,xauth_t) - +- - userdom_use_user_terminals($1, $1_xauth_t) - userdom_read_user_tmp_files($1, $1_xauth_t) - @@ -26388,7 +26484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -435,16 +375,16 @@ +@@ -435,16 +381,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -26410,7 +26506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints($1_iceauth_t) -@@ -467,34 +407,12 @@ +@@ -467,34 +413,12 @@ # # Device rules @@ -26447,7 +26543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -610,7 +528,7 @@ +@@ -610,7 +534,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -26456,7 +26552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $2 self:shm create_shm_perms; -@@ -618,8 +536,8 @@ +@@ -618,8 +542,8 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26467,7 +26563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,11 +561,109 @@ +@@ -643,13 +567,208 @@ xserver_read_xdm_tmp_files($2) @@ -26578,13 +26674,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1_xserver_t input_xevent_t:x_event send; + allow $1_xserver_t $1_rootwindow_t:x_drawable send; - ') - - ####################################### -@@ -662,6 +678,103 @@ - ## is the prefix for user_t). - ## - ## ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## +## +## +## Client domain allowed access. @@ -26667,25 +26770,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# xserver_use($1, $1, $2) + xserver_use(xdm, $1, $2) -+') + ') + + -+ -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## - ## - ## - ## The prefix of the X client domain (e.g., user -@@ -676,7 +789,7 @@ + ####################################### + ## + ## Interface to provide X object permissions on a given X server to +@@ -676,7 +795,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -26694,7 +26785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +798,6 @@ +@@ -685,7 +804,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -26702,7 +26793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -702,6 +814,7 @@ +@@ -702,6 +820,7 @@ class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -26710,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -709,20 +822,22 @@ +@@ -709,20 +828,22 @@ # Declarations # @@ -26736,7 +26827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -740,7 +855,7 @@ +@@ -740,7 +861,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -26745,7 +26836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +864,7 @@ +@@ -749,7 +870,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -26754,7 +26845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +873,17 @@ +@@ -758,27 +879,17 @@ # X Properties # can read and write client properties @@ -26787,7 +26878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -805,6 +910,12 @@ +@@ -805,6 +916,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -26800,7 +26891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +924,15 @@ +@@ -813,13 +930,15 @@ # Other X Objects # can create and use cursors @@ -26820,7 +26911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +992,17 @@ +@@ -879,17 +998,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -26845,7 +26936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1029,9 @@ +@@ -916,11 +1035,9 @@ # X object manager xserver_common_x_domain_template($1, $2, $3) @@ -26860,7 +26951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -952,26 +1063,43 @@ +@@ -952,26 +1069,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -26911,7 +27002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -997,10 +1125,77 @@ +@@ -997,10 +1131,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -26991,7 +27082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1030,10 +1225,10 @@ +@@ -1030,10 +1231,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -27004,7 +27095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1219,6 +1414,25 @@ +@@ -1219,6 +1420,25 @@ ######################################## ## @@ -27030,7 +27121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1487,7 @@ +@@ -1273,6 +1493,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -27038,7 +27129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,7 +1506,7 @@ +@@ -1291,7 +1512,7 @@ ') files_search_pids($1) @@ -27047,7 +27138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1314,6 +1529,24 @@ +@@ -1314,6 +1535,24 @@ ######################################## ## @@ -27072,7 +27163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1557,47 @@ +@@ -1324,15 +1563,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -27121,7 +27212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1747,7 @@ +@@ -1482,7 +1753,7 @@ type xdm_xserver_tmp_t; ') @@ -27130,7 +27221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1674,6 +1939,26 @@ +@@ -1674,6 +1945,26 @@ ######################################## ## @@ -27157,7 +27248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## xdm xserver RW shared memory socket. ## ## -@@ -1692,6 +1977,24 @@ +@@ -1692,6 +1983,24 @@ ######################################## ## @@ -27182,7 +27273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1704,8 +2007,126 @@ +@@ -1704,8 +2013,126 @@ # interface(`xserver_unconfined',` gen_require(` @@ -27313,7 +27404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-29 12:10:48.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -27449,7 +27540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +235,25 @@ +@@ -176,15 +235,26 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -27457,6 +27548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) +fs_list_all(xdm_t) ++fs_read_noxattr_fs_files(xdm_t) + +manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t) @@ -27477,7 +27569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +267,7 @@ +@@ -198,6 +268,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -27485,7 +27577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +299,7 @@ +@@ -229,6 +300,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -27493,7 +27585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +312,7 @@ +@@ -241,6 +313,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27501,7 +27593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +325,17 @@ +@@ -253,14 +326,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -27521,7 +27613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +346,13 @@ +@@ -271,9 +347,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -27535,7 +27627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +361,7 @@ +@@ -282,6 +362,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -27543,7 +27635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +370,7 @@ +@@ -290,6 +371,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -27551,7 +27643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +382,25 @@ +@@ -301,21 +383,25 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -27582,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +433,12 @@ +@@ -348,10 +434,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -27595,7 +27687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +446,22 @@ +@@ -359,6 +447,22 @@ ') optional_policy(` @@ -27618,7 +27710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +485,33 @@ +@@ -382,16 +486,33 @@ ') optional_policy(` @@ -27653,7 +27745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +547,7 @@ +@@ -427,7 +548,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -27662,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +559,15 @@ +@@ -439,6 +560,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -27678,7 +27770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +579,19 @@ +@@ -450,10 +580,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -27699,7 +27791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +606,19 @@ +@@ -468,8 +607,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -27719,7 +27811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +630,25 @@ +@@ -481,8 +631,25 @@ ') optional_policy(` @@ -27747,7 +27839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +657,6 @@ +@@ -491,7 +658,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -27755,7 +27847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -544,3 +709,56 @@ +@@ -544,3 +710,56 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -30711,7 +30803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.9/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.if 2008-09-30 10:01:18.000000000 -0400 @@ -553,6 +553,7 @@ type net_conf_t; ') @@ -31075,8 +31167,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.9/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 14:37:47.000000000 -0400 -@@ -2,15 +2,29 @@ ++++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-30 09:48:11.000000000 -0400 +@@ -2,15 +2,28 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -31098,7 +31190,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ') +/usr/bin/totem.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/rhythmbox -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) @@ -31802,7 +31893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-29 10:56:25.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -32242,17 +32333,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -439,18 +435,18 @@ +@@ -439,18 +435,15 @@ # template(`userdom_manage_tmpfs_template',` gen_require(` - attribute $1_file_type; -+ attribute user_file_type; ++ attribute $1_usertype; ++ type user_tmpfs_t; ') - type $1_tmpfs_t, $1_file_type; -+ type $1_tmpfs_t, user_file_type; - files_tmpfs_file($1_tmpfs_t) +- files_tmpfs_file($1_tmpfs_t) ++ ifelse(`$1',`user',`',` ++ typealias user_tmpfs_t alias $1_tmpfs_t; ++ ') - manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) @@ -32260,16 +32354,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) - fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+ manage_dirs_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) -+ manage_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) -+ manage_lnk_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) -+ manage_sock_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) -+ manage_fifo_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t) -+ fs_tmpfs_filetrans($1_usertype, $1_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ userdom_manage_tmpfs($1_usertype) ') ####################################### -@@ -468,17 +464,17 @@ +@@ -468,17 +461,17 @@ # template(`userdom_untrusted_content_template',` gen_require(` @@ -32290,7 +32379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_file($1_untrusted_content_tmp_t) # Allow user to relabel untrusted content -@@ -510,10 +506,6 @@ +@@ -510,10 +503,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -32301,7 +32390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin($1_t) ') -@@ -531,34 +523,20 @@ +@@ -531,34 +520,20 @@ ## # template(`userdom_basic_networking_template',` @@ -32311,7 +32400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -- + - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_all_if($1_t) @@ -32322,11 +32411,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) - -- corenet_all_recvfrom_labeled($1_t, $1_t) + allow $1_usertype self:tcp_socket create_stream_socket_perms; + allow $1_usertype self:udp_socket create_socket_perms; +- corenet_all_recvfrom_labeled($1_t, $1_t) +- - optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) @@ -32348,12 +32437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -575,30 +553,33 @@ +@@ -575,30 +550,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` - type $1_t, $1_tmpfs_t; -+ type $1_tmpfs_t; ++ type user_tmpfs_t; ') - dev_rw_xserver_misc($1_t) @@ -32398,7 +32487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -629,13 +610,7 @@ +@@ -629,13 +607,7 @@ ## ## The template for allowing the user to change roles. ## @@ -32413,7 +32502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -699,188 +674,202 @@ +@@ -699,188 +671,202 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -32697,7 +32786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -902,9 +891,7 @@ +@@ -902,9 +888,7 @@ ## # template(`userdom_login_user_template', ` @@ -32708,7 +32797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -930,74 +917,77 @@ +@@ -930,74 +914,77 @@ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; @@ -32819,7 +32908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1021,6 @@ +@@ -1031,9 +1018,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -32829,7 +32918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1029,25 @@ +@@ -1042,12 +1026,25 @@ # # privileged home directory writers @@ -32861,7 +32950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1087,14 +1087,16 @@ +@@ -1087,14 +1084,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -32883,7 +32972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1104,23 @@ +@@ -1102,28 +1101,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -32917,7 +33006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1131,7 @@ +@@ -1134,8 +1128,7 @@ ## ## ##

@@ -32927,7 +33016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1167,11 +1163,10 @@ +@@ -1167,11 +1160,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -32940,7 +33029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1184,49 @@ +@@ -1189,36 +1181,49 @@ ') ') @@ -33003,7 +33092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1303,6 @@ +@@ -1295,8 +1300,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -33012,7 +33101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1324,6 @@ +@@ -1318,8 +1321,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33021,7 +33110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1378,6 @@ +@@ -1374,13 +1375,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -33035,7 +33124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1429,7 @@ +@@ -1432,6 +1426,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -33043,7 +33132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1459,6 @@ +@@ -1461,10 +1456,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -33054,7 +33143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1478,14 @@ +@@ -1484,6 +1475,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -33069,7 +33158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1743,15 @@ +@@ -1741,11 +1740,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -33088,7 +33177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1847,11 @@ +@@ -1841,11 +1844,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -33102,7 +33191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1881,11 @@ +@@ -1875,11 +1878,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -33116,7 +33205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1929,12 @@ +@@ -1923,12 +1926,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -33132,7 +33221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1964,11 @@ +@@ -1958,10 +1961,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -33146,7 +33235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +2000,47 @@ +@@ -1993,11 +1997,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -33196,7 +33285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2072,10 @@ +@@ -2029,10 +2069,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -33209,7 +33298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2105,11 @@ +@@ -2062,11 +2102,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -33223,7 +33312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2139,11 @@ +@@ -2096,11 +2136,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -33238,7 +33327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2173,14 @@ +@@ -2130,10 +2170,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -33255,7 +33344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2210,11 @@ +@@ -2163,11 +2207,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -33269,7 +33358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2244,11 @@ +@@ -2197,11 +2241,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -33283,7 +33372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2278,10 @@ +@@ -2231,10 +2275,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -33296,7 +33385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2313,12 @@ +@@ -2266,12 +2310,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -33312,7 +33401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2350,10 @@ +@@ -2303,10 +2347,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -33325,7 +33414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2385,12 @@ +@@ -2338,12 +2382,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -33341,7 +33430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2422,12 @@ +@@ -2375,12 +2419,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -33357,7 +33446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2459,12 @@ +@@ -2412,12 +2456,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -33373,7 +33462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2509,11 @@ +@@ -2462,11 +2506,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -33387,7 +33476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2558,11 @@ +@@ -2511,11 +2555,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -33401,7 +33490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2602,11 @@ +@@ -2555,11 +2599,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -33415,7 +33504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2636,11 @@ +@@ -2589,11 +2633,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -33429,7 +33518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2670,11 @@ +@@ -2623,11 +2667,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -33443,7 +33532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2706,10 @@ +@@ -2659,10 +2703,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -33456,7 +33545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2741,10 @@ +@@ -2694,10 +2738,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -33469,7 +33558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2774,12 @@ +@@ -2727,12 +2771,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33485,7 +33574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2811,10 @@ +@@ -2764,10 +2808,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33498,7 +33587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2846,10 @@ +@@ -2799,10 +2843,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33511,7 +33600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2879,12 @@ +@@ -2832,12 +2876,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33527,7 +33616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2916,10 @@ +@@ -2869,10 +2913,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33540,7 +33629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2951,12 @@ +@@ -2904,12 +2948,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33556,7 +33645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2988,11 @@ +@@ -2941,11 +2985,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33570,7 +33659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3024,11 @@ +@@ -2977,11 +3021,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33584,7 +33673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3060,11 @@ +@@ -3013,11 +3057,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33598,7 +33687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3096,11 @@ +@@ -3049,11 +3093,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -33612,7 +33701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3132,11 @@ +@@ -3085,11 +3129,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -33626,7 +33715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3181,10 @@ +@@ -3134,10 +3178,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -33639,7 +33728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3225,19 @@ +@@ -3178,19 +3222,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -33663,7 +33752,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -4616,11 +4663,11 @@ +@@ -3211,13 +3255,13 @@ + # + template(`userdom_rw_user_tmpfs_files',` + gen_require(` +- type $1_tmpfs_t; ++ type user_tmpfs_t; + ') + + fs_search_tmpfs($2) +- allow $2 $1_tmpfs_t:dir list_dir_perms; +- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) +- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) ++ allow $2 user_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($2,user_tmpfs_t,user_tmpfs_t) ++ read_lnk_files_pattern($2,user_tmpfs_t,user_tmpfs_t) + ') + + ######################################## +@@ -4616,11 +4660,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -33677,7 +33784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4687,14 @@ +@@ -4640,6 +4684,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -33692,7 +33799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4732,8 @@ +@@ -4677,6 +4729,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -33701,7 +33808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4778,25 @@ +@@ -4721,6 +4775,25 @@ ######################################## ##

@@ -33727,7 +33834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5022,7 @@ +@@ -4946,7 +5019,7 @@ ######################################## ## @@ -33736,7 +33843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,7 +5394,7 @@ +@@ -5318,7 +5391,7 @@ ######################################## ## @@ -33745,7 +33852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5326,18 +5402,17 @@ +@@ -5326,18 +5399,17 @@ ## ## # @@ -33768,7 +33875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5345,17 +5420,17 @@ +@@ -5345,17 +5417,17 @@ ## ## # @@ -33790,7 +33897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5363,18 +5438,18 @@ +@@ -5363,18 +5435,18 @@ ## ## # @@ -33814,7 +33921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5382,17 +5457,54 @@ +@@ -5382,17 +5454,54 @@ ## ## # @@ -33873,7 +33980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5483,6 +5595,42 @@ +@@ -5483,6 +5592,42 @@ ######################################## ## @@ -33916,7 +34023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5661,524 @@ +@@ -5513,3 +5658,548 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -34250,13 +34357,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +template(`userdom_read_user_tmpfs_files',` + gen_require(` -+ type $1_tmpfs_t; ++ type user_tmpfs_t; + ') + + fs_search_tmpfs($2) -+ allow $2 $1_tmpfs_t:dir list_dir_perms; -+ read_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t) -+ read_lnk_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t) ++ allow $2 user_tmpfs_t:dir list_dir_perms; ++ read_files_pattern($2, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) +') + +####################################### @@ -34441,9 +34548,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 user_home_t:file unlink; +') ++ ++####################################### ++## ++## The template for creating a tmpfs type ++## that the user has full access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_tmpfs',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_sock_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_fifo_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.9/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-29 08:43:56.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -34485,7 +34616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -81,6 +73,72 @@ +@@ -81,6 +73,76 @@ # unprivileged user domains attribute unpriv_userdomain; @@ -34521,6 +34652,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type user_tmp_t, user_file_type, user_tmpfile; +files_tmp_file(user_tmp_t) + ++type user_tmpfs_t, user_file_type; ++files_tmpfs_file(user_tmpfs_t) ++ ++ +############################## +# +# User home directory file rules diff --git a/selinux-policy.spec b/selinux-policy.spec index 735da8e5..1bc1b2ee 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -10,14 +10,14 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif -%define POLICYVER 21 +%define POLICYVER 23 %define libsepolver 2.0.20-1 %define POLICYCOREUTILSVER 2.0.54-2 %define CHECKPOLICYVER 2.0.16-1 Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.9 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -40,8 +40,9 @@ Source15: securetty_types-mls Url: http://serefpolicy.sourceforge.net BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch -BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER} +BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER} bzip2 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3 +Requires(post): /usr/bin/bunzip2 Requires: checkpolicy >= %{CHECKPOLICYVER} m4 Obsoletes: selinux-policy-devel Provides: selinux-policy-devel @@ -77,6 +78,9 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ %define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf ) +%define bzmoduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf " ../%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) + %define installCmds() \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ @@ -96,12 +100,13 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedir install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp %nil %define fileList() \ %defattr(-,root,root) \ %dir %{_usr}/share/selinux/%1 \ -%{_usr}/share/selinux/%1/*.pp \ +%{_usr}/share/selinux/%1/*.pp.bz2 \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %ghost %{_sysconfdir}/selinux/%1/seusers \ @@ -144,9 +149,13 @@ if [ -s /etc/selinux/config ]; then \ fi %define loadpolicy() \ -( cd /usr/share/selinux/%1; \ +tempdir=`mktemp -d /usr/share/selinux/%1/tmpXXXX`; \ +( cd $tempdir; \ +cp ../base.pp.bz2 %{expand:%%bzmoduleList %1} .; \ +bunzip2 *; \ semodule -b base.pp %{expand:%%moduleList %1} -s %1; \ ); \ +rm -rf $tempdir; \ %define relabel() \ . %{_sysconfdir}/selinux/config; \ @@ -381,6 +390,10 @@ exit 0 %endif %changelog +* Mon Sep 29 2008 Dan Walsh 3.5.9-2 +- Change all user tmpfs_t files to be labeled user_tmpfs_t +- Allow radiusd to create sock_files + * Wed Sep 24 2008 Dan Walsh 3.5.9-1 - Upgrade to upstream