diff --git a/policy-20080509.patch b/policy-20080509.patch index cd5588f7..4d668ba2 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -25797,7 +25797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:24:12.019801000 -0400 ++++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:30:55.173240000 -0400 @@ -128,18 +128,24 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) @@ -25929,7 +25929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # For startup relabel - allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom }; -+ allow $2 fonts_cache_t:{ dir file } { relabelto relabelfrom }; ++ allow $2 fonts_cache_home_t:{ dir file } { relabelto relabelfrom }; stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t) @@ -32040,11 +32040,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-05-29 15:55:43.000000000 -0400 -+++ serefpolicy-3.4.1/policy/modules/system/userdomain.if 2008-05-30 15:04:49.615583000 -0400 -@@ -29,9 +29,14 @@ ++++ serefpolicy-3.4.1/policy/modules/system/userdomain.if 2008-05-30 16:48:21.455393000 -0400 +@@ -28,10 +28,14 @@ + class context contains; ') - attribute $1_file_type; +- attribute $1_file_type; + attribute $1_usertype; - type $1_t, userdomain; @@ -32057,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -45,66 +50,80 @@ +@@ -45,66 +49,80 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -32186,7 +32187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -115,6 +134,10 @@ +@@ -115,6 +133,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -32197,7 +32198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -141,33 +164,13 @@ +@@ -141,33 +163,13 @@ # template(`userdom_ro_home_template',` gen_require(` @@ -32236,7 +32237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -175,13 +178,14 @@ +@@ -175,13 +177,14 @@ # # read-only home directory @@ -32258,7 +32259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` -@@ -190,9 +194,6 @@ +@@ -190,9 +193,6 @@ fs_read_nfs_symlinks($1_t) fs_read_nfs_named_sockets($1_t) fs_read_nfs_named_pipes($1_t) @@ -32268,7 +32269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`use_samba_home_dirs',` -@@ -201,9 +202,6 @@ +@@ -201,9 +201,6 @@ fs_read_cifs_symlinks($1_t) fs_read_cifs_named_sockets($1_t) fs_read_cifs_named_pipes($1_t) @@ -32278,7 +32279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -231,30 +229,14 @@ +@@ -231,30 +228,14 @@ # template(`userdom_manage_home_template',` gen_require(` @@ -32315,7 +32316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -262,43 +244,44 @@ +@@ -262,43 +243,44 @@ # # full control of the home directory @@ -32390,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -316,14 +299,20 @@ +@@ -316,14 +298,20 @@ ## # template(`userdom_exec_home_template',` @@ -32416,7 +32417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -341,11 +330,10 @@ +@@ -341,11 +329,10 @@ ## # template(`userdom_poly_home_template',` @@ -32432,7 +32433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -369,18 +357,18 @@ +@@ -369,18 +356,18 @@ # template(`userdom_manage_tmp_template',` gen_require(` @@ -32461,7 +32462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -396,7 +384,13 @@ +@@ -396,7 +383,13 @@ ## # template(`userdom_exec_tmp_template',` @@ -32476,8 +32477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -445,12 +439,12 @@ - type $1_tmpfs_t, $1_file_type; +@@ -439,18 +432,18 @@ + # + template(`userdom_manage_tmpfs_template',` + gen_require(` +- attribute $1_file_type; ++ attribute user_file_type; + ') + +- type $1_tmpfs_t, $1_file_type; ++ type $1_tmpfs_t, user_file_type; files_tmpfs_file($1_tmpfs_t) - manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t) @@ -32495,7 +32504,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -510,10 +504,6 @@ +@@ -468,17 +461,17 @@ + # + template(`userdom_untrusted_content_template',` + gen_require(` +- attribute $1_file_type; ++ attribute user_file_type; + attribute untrusted_content_type, untrusted_content_tmp_type; + type $1_t; + ') + + # types for network-obtained content +- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable ++ type $1_untrusted_content_t, user_file_type, untrusted_content_type; #, customizable + files_type($1_untrusted_content_t) + files_poly_member($1_untrusted_content_t) + +- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable ++ type $1_untrusted_content_tmp_t, user_file_type, untrusted_content_tmp_type; # customizable + files_tmp_file($1_untrusted_content_tmp_t) + + # Allow user to relabel untrusted content +@@ -510,10 +503,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -32506,16 +32536,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -531,27 +521,20 @@ +@@ -531,27 +520,20 @@ ## # template(`userdom_basic_networking_template',` - gen_require(` - type $1_t; - ') -- + - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; ++ allow $1_usertype self:tcp_socket create_stream_socket_perms; ++ allow $1_usertype self:udp_socket create_socket_perms; - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -32527,9 +32559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -+ allow $1_usertype self:tcp_socket create_stream_socket_perms; -+ allow $1_usertype self:udp_socket create_socket_perms; - +- - optional_policy(` - ipsec_match_default_spd($1_t) - ') @@ -32546,7 +32576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +551,33 @@ +@@ -568,30 +550,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -32596,7 +32626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +608,7 @@ +@@ -622,13 +607,7 @@ ## ## The template for allowing the user to change roles. ## @@ -32611,7 +32641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +672,198 @@ +@@ -692,183 +671,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -32891,7 +32921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -895,6 +890,8 @@ +@@ -895,6 +889,8 @@ ## # template(`userdom_login_user_template', ` @@ -32900,7 +32930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,70 +920,73 @@ +@@ -923,70 +919,73 @@ allow $1_t self:context contains; @@ -33007,7 +33037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1020,6 @@ +@@ -1020,9 +1019,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -33017,7 +33047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1028,29 @@ +@@ -1031,16 +1027,29 @@ # # privileged home directory writers @@ -33054,7 +33084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1078,13 @@ +@@ -1068,6 +1077,13 @@ userdom_restricted_user_template($1) @@ -33068,7 +33098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1093,16 @@ +@@ -1076,14 +1092,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -33090,7 +33120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,28 +1110,23 @@ +@@ -1091,28 +1109,23 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -33126,7 +33156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1123,10 +1137,10 @@ +@@ -1123,10 +1136,10 @@ ## ## ##

@@ -33141,7 +33171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1160,7 +1174,6 @@ +@@ -1160,7 +1173,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -33149,7 +33179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1178,32 +1191,45 @@ +@@ -1178,32 +1190,45 @@ ') ') @@ -33179,10 +33209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + games_rw_data($1_usertype) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') + @@ -33192,9 +33221,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + polkit_per_role_template($1, $1_usertype, $1_r) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + java_per_role_template($1, $1_t, $1_r) + ') + @@ -33207,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1280,8 +1306,6 @@ +@@ -1280,8 +1305,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -33216,7 +33246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1303,8 +1327,6 @@ +@@ -1303,8 +1326,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -33225,7 +33255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1359,13 +1381,6 @@ +@@ -1359,13 +1380,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -33239,7 +33269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1413,6 +1428,7 @@ +@@ -1413,6 +1427,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -33247,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1442,10 +1458,6 @@ +@@ -1442,10 +1457,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -33258,7 +33288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` aide_run($1,$2, $3) ') -@@ -1465,12 +1477,30 @@ +@@ -1465,12 +1476,30 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -33289,7 +33319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ##

## The prefix of the user role (e.g., user -@@ -1480,8 +1510,7 @@ +@@ -1480,8 +1509,7 @@ ## # template(`userdom_role_change_generic_user',` @@ -33299,7 +33329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1508,14 +1537,23 @@ +@@ -1508,14 +1536,23 @@ ## # template(`userdom_role_change_from_generic_user',` @@ -33325,7 +33355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1525,8 +1563,7 @@ +@@ -1525,8 +1562,7 @@ ## # template(`userdom_role_change_staff',` @@ -33335,7 +33365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1553,14 +1590,23 @@ +@@ -1553,14 +1589,23 @@ ## # template(`userdom_role_change_from_staff',` @@ -33361,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1570,8 +1616,7 @@ +@@ -1570,8 +1615,7 @@ ## # template(`userdom_role_change_sysadm',` @@ -33371,7 +33401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1598,14 +1643,23 @@ +@@ -1598,14 +1642,23 @@ ## # template(`userdom_role_change_from_sysadm',` @@ -33397,7 +33427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the user role (e.g., user -@@ -1615,8 +1669,11 @@ +@@ -1615,8 +1668,11 @@ ## # template(`userdom_role_change_secadm',` @@ -33411,7 +33441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1643,14 +1700,27 @@ +@@ -1643,14 +1699,27 @@ ## # template(`userdom_role_change_from_secadm',` @@ -33441,7 +33471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## The prefix of the auditadm role (e.g., user -@@ -1660,8 +1730,11 @@ +@@ -1660,8 +1729,11 @@ ## # template(`userdom_role_change_auditadm',` @@ -33455,7 +33485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1688,8 +1761,11 @@ +@@ -1688,8 +1760,11 @@ ## # template(`userdom_role_change_from_auditadm',` @@ -33469,23 +33499,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1723,10 +1799,14 @@ +@@ -1722,11 +1797,15 @@ + # template(`userdom_user_home_content',` gen_require(` - attribute $1_file_type; +- attribute $1_file_type; ++ attribute user_file_type; + attribute user_home_type; + attribute home_type; ') - typeattribute $2 $1_file_type; +- typeattribute $2 $1_file_type; - files_type($2) ++ typeattribute $2 user_file_type; + typeattribute $2 user_home_type; + typeattribute $2 home_type; + files_poly_member($2) ') ######################################## -@@ -1822,11 +1902,11 @@ +@@ -1822,11 +1901,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -33499,7 +33532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1856,11 +1936,11 @@ +@@ -1856,11 +1935,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -33513,7 +33546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1904,12 +1984,12 @@ +@@ -1904,12 +1983,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -33529,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1939,10 +2019,11 @@ +@@ -1939,10 +2018,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -33543,7 +33576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1974,11 +2055,47 @@ +@@ -1974,11 +2054,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -33593,7 +33626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2010,10 +2127,10 @@ +@@ -2010,10 +2126,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -33606,7 +33639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2043,11 +2160,11 @@ +@@ -2043,11 +2159,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -33620,7 +33653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2077,11 +2194,11 @@ +@@ -2077,11 +2193,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -33635,7 +33668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2111,10 +2228,14 @@ +@@ -2111,10 +2227,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -33652,7 +33685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2144,11 +2265,11 @@ +@@ -2144,11 +2264,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -33666,7 +33699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2178,11 +2299,11 @@ +@@ -2178,11 +2298,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -33680,7 +33713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2212,10 +2333,10 @@ +@@ -2212,10 +2332,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -33693,7 +33726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2247,12 +2368,12 @@ +@@ -2247,12 +2367,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -33709,7 +33742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2284,10 +2405,10 @@ +@@ -2284,10 +2404,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -33722,7 +33755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2319,12 +2440,12 @@ +@@ -2319,12 +2439,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -33738,7 +33771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2356,12 +2477,12 @@ +@@ -2356,12 +2476,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -33754,7 +33787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2393,12 +2514,12 @@ +@@ -2393,12 +2513,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -33770,7 +33803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2443,11 +2564,11 @@ +@@ -2443,11 +2563,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -33784,7 +33817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2492,11 +2613,11 @@ +@@ -2492,11 +2612,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -33798,7 +33831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2536,11 +2657,11 @@ +@@ -2536,11 +2656,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -33812,7 +33845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2570,11 +2691,11 @@ +@@ -2570,11 +2690,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -33826,7 +33859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2604,11 +2725,11 @@ +@@ -2604,11 +2724,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -33840,7 +33873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2640,10 +2761,10 @@ +@@ -2640,10 +2760,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -33853,7 +33886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2675,10 +2796,10 @@ +@@ -2675,10 +2795,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -33866,7 +33899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2708,12 +2829,12 @@ +@@ -2708,12 +2828,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33882,7 +33915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2745,10 +2866,10 @@ +@@ -2745,10 +2865,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33895,7 +33928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2780,10 +2901,10 @@ +@@ -2780,10 +2900,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33908,7 +33941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2813,12 +2934,12 @@ +@@ -2813,12 +2933,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33924,7 +33957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2850,10 +2971,10 @@ +@@ -2850,10 +2970,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33937,7 +33970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2885,12 +3006,12 @@ +@@ -2885,12 +3005,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33953,7 +33986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2922,11 +3043,11 @@ +@@ -2922,11 +3042,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33967,7 +34000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2958,11 +3079,11 @@ +@@ -2958,11 +3078,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33981,7 +34014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2994,11 +3115,11 @@ +@@ -2994,11 +3114,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33995,7 +34028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3030,11 +3151,11 @@ +@@ -3030,11 +3150,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -34009,7 +34042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3066,11 +3187,11 @@ +@@ -3066,11 +3186,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -34023,7 +34056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3115,10 +3236,10 @@ +@@ -3115,10 +3235,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -34036,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3159,19 +3280,19 @@ +@@ -3159,19 +3279,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -34060,7 +34093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -4597,11 +4718,11 @@ +@@ -4597,11 +4717,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -34074,10 +34107,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4621,6 +4742,14 @@ +@@ -4621,7 +4741,15 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; +-') + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) @@ -34086,10 +34120,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') - ') ++') ######################################## -@@ -4702,6 +4831,25 @@ + ##

+@@ -4702,6 +4830,25 @@ ######################################## ## @@ -34115,7 +34150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4927,7 +5075,7 @@ +@@ -4927,7 +5074,7 @@ ######################################## ## @@ -34124,7 +34159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5299,6 +5447,42 @@ +@@ -5299,6 +5446,42 @@ ######################################## ## @@ -34167,7 +34202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5349,7 +5533,7 @@ +@@ -5349,7 +5532,7 @@ attribute userdomain; ') @@ -34176,7 +34211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5464,6 +5648,42 @@ +@@ -5464,6 +5647,42 @@ ######################################## ## @@ -34219,7 +34254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5494,3 +5714,521 @@ +@@ -5494,3 +5713,521 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')