- Merge Upstream
This commit is contained in:
Daniel J Walsh
parent
9ed55bda90
commit
b6883e7cb4
@ -25797,7 +25797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
|
||||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:24:12.019801000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:30:55.173240000 -0400
|
||||||
@@ -128,18 +128,24 @@
|
@@ -128,18 +128,24 @@
|
||||||
dev_rw_agp($1_xserver_t)
|
dev_rw_agp($1_xserver_t)
|
||||||
dev_rw_framebuffer($1_xserver_t)
|
dev_rw_framebuffer($1_xserver_t)
|
||||||
@ -25929,7 +25929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||||||
|
|
||||||
# For startup relabel
|
# For startup relabel
|
||||||
- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
|
- allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
|
||||||
+ allow $2 fonts_cache_t:{ dir file } { relabelto relabelfrom };
|
+ allow $2 fonts_cache_home_t:{ dir file } { relabelto relabelfrom };
|
||||||
|
|
||||||
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
|
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
|
||||||
|
|
||||||
@ -32040,11 +32040,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.1/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.1/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-05-29 15:55:43.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-05-29 15:55:43.000000000 -0400
|
||||||
+++ serefpolicy-3.4.1/policy/modules/system/userdomain.if 2008-05-30 15:04:49.615583000 -0400
|
+++ serefpolicy-3.4.1/policy/modules/system/userdomain.if 2008-05-30 16:48:21.455393000 -0400
|
||||||
@@ -29,9 +29,14 @@
|
@@ -28,10 +28,14 @@
|
||||||
|
class context contains;
|
||||||
')
|
')
|
||||||
|
|
||||||
attribute $1_file_type;
|
- attribute $1_file_type;
|
||||||
+ attribute $1_usertype;
|
+ attribute $1_usertype;
|
||||||
|
|
||||||
- type $1_t, userdomain;
|
- type $1_t, userdomain;
|
||||||
@ -32057,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
corecmd_shell_entry_type($1_t)
|
corecmd_shell_entry_type($1_t)
|
||||||
corecmd_bin_entry_type($1_t)
|
corecmd_bin_entry_type($1_t)
|
||||||
domain_user_exemption_target($1_t)
|
domain_user_exemption_target($1_t)
|
||||||
@@ -45,66 +50,80 @@
|
@@ -45,66 +49,80 @@
|
||||||
type $1_tty_device_t;
|
type $1_tty_device_t;
|
||||||
term_user_tty($1_t,$1_tty_device_t)
|
term_user_tty($1_t,$1_tty_device_t)
|
||||||
|
|
||||||
@ -32186,7 +32187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
tunable_policy(`allow_execmem',`
|
tunable_policy(`allow_execmem',`
|
||||||
# Allow loading DSOs that require executable stack.
|
# Allow loading DSOs that require executable stack.
|
||||||
@@ -115,6 +134,10 @@
|
@@ -115,6 +133,10 @@
|
||||||
# Allow making the stack executable via mprotect.
|
# Allow making the stack executable via mprotect.
|
||||||
allow $1_t self:process execstack;
|
allow $1_t self:process execstack;
|
||||||
')
|
')
|
||||||
@ -32197,7 +32198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -141,33 +164,13 @@
|
@@ -141,33 +163,13 @@
|
||||||
#
|
#
|
||||||
template(`userdom_ro_home_template',`
|
template(`userdom_ro_home_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -32236,7 +32237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -175,13 +178,14 @@
|
@@ -175,13 +177,14 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# read-only home directory
|
# read-only home directory
|
||||||
@ -32258,7 +32259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
files_list_home($1_t)
|
files_list_home($1_t)
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
@@ -190,9 +194,6 @@
|
@@ -190,9 +193,6 @@
|
||||||
fs_read_nfs_symlinks($1_t)
|
fs_read_nfs_symlinks($1_t)
|
||||||
fs_read_nfs_named_sockets($1_t)
|
fs_read_nfs_named_sockets($1_t)
|
||||||
fs_read_nfs_named_pipes($1_t)
|
fs_read_nfs_named_pipes($1_t)
|
||||||
@ -32268,7 +32269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
@@ -201,9 +202,6 @@
|
@@ -201,9 +201,6 @@
|
||||||
fs_read_cifs_symlinks($1_t)
|
fs_read_cifs_symlinks($1_t)
|
||||||
fs_read_cifs_named_sockets($1_t)
|
fs_read_cifs_named_sockets($1_t)
|
||||||
fs_read_cifs_named_pipes($1_t)
|
fs_read_cifs_named_pipes($1_t)
|
||||||
@ -32278,7 +32279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -231,30 +229,14 @@
|
@@ -231,30 +228,14 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_home_template',`
|
template(`userdom_manage_home_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -32315,7 +32316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
##############################
|
##############################
|
||||||
#
|
#
|
||||||
@@ -262,43 +244,44 @@
|
@@ -262,43 +243,44 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# full control of the home directory
|
# full control of the home directory
|
||||||
@ -32390,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -316,14 +299,20 @@
|
@@ -316,14 +298,20 @@
|
||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_exec_home_template',`
|
template(`userdom_exec_home_template',`
|
||||||
@ -32416,7 +32417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -341,11 +330,10 @@
|
@@ -341,11 +329,10 @@
|
||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_poly_home_template',`
|
template(`userdom_poly_home_template',`
|
||||||
@ -32432,7 +32433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -369,18 +357,18 @@
|
@@ -369,18 +356,18 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_tmp_template',`
|
template(`userdom_manage_tmp_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -32461,7 +32462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -396,7 +384,13 @@
|
@@ -396,7 +383,13 @@
|
||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_exec_tmp_template',`
|
template(`userdom_exec_tmp_template',`
|
||||||
@ -32476,8 +32477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -445,12 +439,12 @@
|
@@ -439,18 +432,18 @@
|
||||||
type $1_tmpfs_t, $1_file_type;
|
#
|
||||||
|
template(`userdom_manage_tmpfs_template',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute $1_file_type;
|
||||||
|
+ attribute user_file_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
- type $1_tmpfs_t, $1_file_type;
|
||||||
|
+ type $1_tmpfs_t, user_file_type;
|
||||||
files_tmpfs_file($1_tmpfs_t)
|
files_tmpfs_file($1_tmpfs_t)
|
||||||
|
|
||||||
- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
|
- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
|
||||||
@ -32495,7 +32504,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -510,10 +504,6 @@
|
@@ -468,17 +461,17 @@
|
||||||
|
#
|
||||||
|
template(`userdom_untrusted_content_template',`
|
||||||
|
gen_require(`
|
||||||
|
- attribute $1_file_type;
|
||||||
|
+ attribute user_file_type;
|
||||||
|
attribute untrusted_content_type, untrusted_content_tmp_type;
|
||||||
|
type $1_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
# types for network-obtained content
|
||||||
|
- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
|
||||||
|
+ type $1_untrusted_content_t, user_file_type, untrusted_content_type; #, customizable
|
||||||
|
files_type($1_untrusted_content_t)
|
||||||
|
files_poly_member($1_untrusted_content_t)
|
||||||
|
|
||||||
|
- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
|
||||||
|
+ type $1_untrusted_content_tmp_t, user_file_type, untrusted_content_tmp_type; # customizable
|
||||||
|
files_tmp_file($1_untrusted_content_tmp_t)
|
||||||
|
|
||||||
|
# Allow user to relabel untrusted content
|
||||||
|
@@ -510,10 +503,6 @@
|
||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_exec_generic_pgms_template',`
|
template(`userdom_exec_generic_pgms_template',`
|
||||||
@ -32506,16 +32536,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
corecmd_exec_bin($1_t)
|
corecmd_exec_bin($1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -531,27 +521,20 @@
|
@@ -531,27 +520,20 @@
|
||||||
## <rolebase/>
|
## <rolebase/>
|
||||||
#
|
#
|
||||||
template(`userdom_basic_networking_template',`
|
template(`userdom_basic_networking_template',`
|
||||||
- gen_require(`
|
- gen_require(`
|
||||||
- type $1_t;
|
- type $1_t;
|
||||||
- ')
|
- ')
|
||||||
-
|
|
||||||
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
- allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||||
- allow $1_t self:udp_socket create_socket_perms;
|
- allow $1_t self:udp_socket create_socket_perms;
|
||||||
|
+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
|
||||||
|
+ allow $1_usertype self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
- corenet_all_recvfrom_unlabeled($1_t)
|
- corenet_all_recvfrom_unlabeled($1_t)
|
||||||
- corenet_all_recvfrom_netlabel($1_t)
|
- corenet_all_recvfrom_netlabel($1_t)
|
||||||
@ -32527,9 +32559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
- corenet_udp_sendrecv_all_ports($1_t)
|
- corenet_udp_sendrecv_all_ports($1_t)
|
||||||
- corenet_tcp_connect_all_ports($1_t)
|
- corenet_tcp_connect_all_ports($1_t)
|
||||||
- corenet_sendrecv_all_client_packets($1_t)
|
- corenet_sendrecv_all_client_packets($1_t)
|
||||||
+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
|
-
|
||||||
+ allow $1_usertype self:udp_socket create_socket_perms;
|
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- ipsec_match_default_spd($1_t)
|
- ipsec_match_default_spd($1_t)
|
||||||
- ')
|
- ')
|
||||||
@ -32546,7 +32576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -568,30 +551,33 @@
|
@@ -568,30 +550,33 @@
|
||||||
#
|
#
|
||||||
template(`userdom_xwindows_client_template',`
|
template(`userdom_xwindows_client_template',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -32596,7 +32626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -622,13 +608,7 @@
|
@@ -622,13 +607,7 @@
|
||||||
## <summary>
|
## <summary>
|
||||||
## The template for allowing the user to change roles.
|
## The template for allowing the user to change roles.
|
||||||
## </summary>
|
## </summary>
|
||||||
@ -32611,7 +32641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the user domain (e.g., user
|
## The prefix of the user domain (e.g., user
|
||||||
## is the prefix for user_t).
|
## is the prefix for user_t).
|
||||||
@@ -692,183 +672,198 @@
|
@@ -692,183 +671,198 @@
|
||||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||||
|
|
||||||
@ -32891,7 +32921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -895,6 +890,8 @@
|
@@ -895,6 +889,8 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`userdom_login_user_template', `
|
template(`userdom_login_user_template', `
|
||||||
@ -32900,7 +32930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
userdom_base_user_template($1)
|
userdom_base_user_template($1)
|
||||||
|
|
||||||
userdom_manage_home_template($1)
|
userdom_manage_home_template($1)
|
||||||
@@ -923,70 +920,73 @@
|
@@ -923,70 +919,73 @@
|
||||||
|
|
||||||
allow $1_t self:context contains;
|
allow $1_t self:context contains;
|
||||||
|
|
||||||
@ -33007,7 +33037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1020,9 +1020,6 @@
|
@@ -1020,9 +1019,6 @@
|
||||||
domain_interactive_fd($1_t)
|
domain_interactive_fd($1_t)
|
||||||
|
|
||||||
typeattribute $1_devpts_t user_ptynode;
|
typeattribute $1_devpts_t user_ptynode;
|
||||||
@ -33017,7 +33047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
typeattribute $1_tty_device_t user_ttynode;
|
typeattribute $1_tty_device_t user_ttynode;
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1031,16 +1028,29 @@
|
@@ -1031,16 +1027,29 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
# privileged home directory writers
|
# privileged home directory writers
|
||||||
@ -33054,7 +33084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -1068,6 +1078,13 @@
|
@@ -1068,6 +1077,13 @@
|
||||||
|
|
||||||
userdom_restricted_user_template($1)
|
userdom_restricted_user_template($1)
|
||||||
|
|
||||||
@ -33068,7 +33098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
userdom_xwindows_client_template($1)
|
userdom_xwindows_client_template($1)
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@@ -1076,14 +1093,16 @@
|
@@ -1076,14 +1092,16 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
authlogin_per_role_template($1, $1_t, $1_r)
|
authlogin_per_role_template($1, $1_t, $1_r)
|
||||||
@ -33090,7 +33120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
logging_dontaudit_send_audit_msgs($1_t)
|
logging_dontaudit_send_audit_msgs($1_t)
|
||||||
|
|
||||||
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
# Need to to this just so screensaver will work. Should be moved to screensaver domain
|
||||||
@@ -1091,28 +1110,23 @@
|
@@ -1091,28 +1109,23 @@
|
||||||
selinux_get_enforce_mode($1_t)
|
selinux_get_enforce_mode($1_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -33126,7 +33156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1123,10 +1137,10 @@
|
@@ -1123,10 +1136,10 @@
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@ -33141,7 +33171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## This template creates a user domain, types, and
|
## This template creates a user domain, types, and
|
||||||
## rules for the user's tty, pty, home directories,
|
## rules for the user's tty, pty, home directories,
|
||||||
## tmp, and tmpfs files.
|
## tmp, and tmpfs files.
|
||||||
@@ -1160,7 +1174,6 @@
|
@@ -1160,7 +1173,6 @@
|
||||||
# Need the following rule to allow users to run vpnc
|
# Need the following rule to allow users to run vpnc
|
||||||
corenet_tcp_bind_xserver_port($1_t)
|
corenet_tcp_bind_xserver_port($1_t)
|
||||||
|
|
||||||
@ -33149,7 +33179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
# cjp: why?
|
# cjp: why?
|
||||||
files_read_kernel_symbol_table($1_t)
|
files_read_kernel_symbol_table($1_t)
|
||||||
|
|
||||||
@@ -1178,32 +1191,45 @@
|
@@ -1178,32 +1190,45 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -33179,10 +33209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
+ games_rw_data($1_usertype)
|
+ games_rw_data($1_usertype)
|
||||||
')
|
+ ')
|
||||||
|
+
|
||||||
optional_policy(`
|
+ optional_policy(`
|
||||||
- setroubleshoot_stream_connect($1_t)
|
|
||||||
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -33192,9 +33221,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+
|
+
|
||||||
+ optional_policy(`
|
+ optional_policy(`
|
||||||
+ polkit_per_role_template($1, $1_usertype, $1_r)
|
+ polkit_per_role_template($1, $1_usertype, $1_r)
|
||||||
+ ')
|
')
|
||||||
+
|
|
||||||
+ optional_policy(`
|
optional_policy(`
|
||||||
|
- setroubleshoot_stream_connect($1_t)
|
||||||
+ java_per_role_template($1, $1_t, $1_r)
|
+ java_per_role_template($1, $1_t, $1_r)
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -33207,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -1280,8 +1306,6 @@
|
@@ -1280,8 +1305,6 @@
|
||||||
# Manipulate other users crontab.
|
# Manipulate other users crontab.
|
||||||
allow $1_t self:passwd crontab;
|
allow $1_t self:passwd crontab;
|
||||||
|
|
||||||
@ -33216,7 +33246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
kernel_read_software_raid_state($1_t)
|
kernel_read_software_raid_state($1_t)
|
||||||
kernel_getattr_core_if($1_t)
|
kernel_getattr_core_if($1_t)
|
||||||
kernel_getattr_message_if($1_t)
|
kernel_getattr_message_if($1_t)
|
||||||
@@ -1303,8 +1327,6 @@
|
@@ -1303,8 +1326,6 @@
|
||||||
|
|
||||||
dev_getattr_generic_blk_files($1_t)
|
dev_getattr_generic_blk_files($1_t)
|
||||||
dev_getattr_generic_chr_files($1_t)
|
dev_getattr_generic_chr_files($1_t)
|
||||||
@ -33225,7 +33255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
# Allow MAKEDEV to work
|
# Allow MAKEDEV to work
|
||||||
dev_create_all_blk_files($1_t)
|
dev_create_all_blk_files($1_t)
|
||||||
dev_create_all_chr_files($1_t)
|
dev_create_all_chr_files($1_t)
|
||||||
@@ -1359,13 +1381,6 @@
|
@@ -1359,13 +1380,6 @@
|
||||||
# But presently necessary for installing the file_contexts file.
|
# But presently necessary for installing the file_contexts file.
|
||||||
seutil_manage_bin_policy($1_t)
|
seutil_manage_bin_policy($1_t)
|
||||||
|
|
||||||
@ -33239,7 +33269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
userhelper_exec($1_t)
|
userhelper_exec($1_t)
|
||||||
')
|
')
|
||||||
@@ -1413,6 +1428,7 @@
|
@@ -1413,6 +1427,7 @@
|
||||||
dev_relabel_all_dev_nodes($1)
|
dev_relabel_all_dev_nodes($1)
|
||||||
|
|
||||||
files_create_boot_flag($1)
|
files_create_boot_flag($1)
|
||||||
@ -33247,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
|
|
||||||
# Necessary for managing /boot/efi
|
# Necessary for managing /boot/efi
|
||||||
fs_manage_dos_files($1)
|
fs_manage_dos_files($1)
|
||||||
@@ -1442,10 +1458,6 @@
|
@@ -1442,10 +1457,6 @@
|
||||||
seutil_run_semanage($1,$2,$3)
|
seutil_run_semanage($1,$2,$3)
|
||||||
seutil_run_setfiles($1, $2, $3)
|
seutil_run_setfiles($1, $2, $3)
|
||||||
|
|
||||||
@ -33258,7 +33288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
aide_run($1,$2, $3)
|
aide_run($1,$2, $3)
|
||||||
')
|
')
|
||||||
@@ -1465,12 +1477,30 @@
|
@@ -1465,12 +1476,30 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
netlabel_run_mgmt($1,$2, $3)
|
netlabel_run_mgmt($1,$2, $3)
|
||||||
')
|
')
|
||||||
@ -33289,7 +33319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <param name="prefix">
|
## <param name="prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the user role (e.g., user
|
## The prefix of the user role (e.g., user
|
||||||
@@ -1480,8 +1510,7 @@
|
@@ -1480,8 +1509,7 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_generic_user',`
|
template(`userdom_role_change_generic_user',`
|
||||||
@ -33299,7 +33329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1508,14 +1537,23 @@
|
@@ -1508,14 +1536,23 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_from_generic_user',`
|
template(`userdom_role_change_from_generic_user',`
|
||||||
@ -33325,7 +33355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <param name="prefix">
|
## <param name="prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the user role (e.g., user
|
## The prefix of the user role (e.g., user
|
||||||
@@ -1525,8 +1563,7 @@
|
@@ -1525,8 +1562,7 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_staff',`
|
template(`userdom_role_change_staff',`
|
||||||
@ -33335,7 +33365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1553,14 +1590,23 @@
|
@@ -1553,14 +1589,23 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_from_staff',`
|
template(`userdom_role_change_from_staff',`
|
||||||
@ -33361,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <param name="prefix">
|
## <param name="prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the user role (e.g., user
|
## The prefix of the user role (e.g., user
|
||||||
@@ -1570,8 +1616,7 @@
|
@@ -1570,8 +1615,7 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_sysadm',`
|
template(`userdom_role_change_sysadm',`
|
||||||
@ -33371,7 +33401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1598,14 +1643,23 @@
|
@@ -1598,14 +1642,23 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_from_sysadm',`
|
template(`userdom_role_change_from_sysadm',`
|
||||||
@ -33397,7 +33427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <param name="prefix">
|
## <param name="prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the user role (e.g., user
|
## The prefix of the user role (e.g., user
|
||||||
@@ -1615,8 +1669,11 @@
|
@@ -1615,8 +1668,11 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_secadm',`
|
template(`userdom_role_change_secadm',`
|
||||||
@ -33411,7 +33441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1643,14 +1700,27 @@
|
@@ -1643,14 +1699,27 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_from_secadm',`
|
template(`userdom_role_change_from_secadm',`
|
||||||
@ -33441,7 +33471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## <param name="prefix">
|
## <param name="prefix">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The prefix of the auditadm role (e.g., user
|
## The prefix of the auditadm role (e.g., user
|
||||||
@@ -1660,8 +1730,11 @@
|
@@ -1660,8 +1729,11 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_auditadm',`
|
template(`userdom_role_change_auditadm',`
|
||||||
@ -33455,7 +33485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1688,8 +1761,11 @@
|
@@ -1688,8 +1760,11 @@
|
||||||
## <rolecap/>
|
## <rolecap/>
|
||||||
#
|
#
|
||||||
template(`userdom_role_change_from_auditadm',`
|
template(`userdom_role_change_from_auditadm',`
|
||||||
@ -33469,23 +33499,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1723,10 +1799,14 @@
|
@@ -1722,11 +1797,15 @@
|
||||||
|
#
|
||||||
template(`userdom_user_home_content',`
|
template(`userdom_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute $1_file_type;
|
- attribute $1_file_type;
|
||||||
|
+ attribute user_file_type;
|
||||||
+ attribute user_home_type;
|
+ attribute user_home_type;
|
||||||
+ attribute home_type;
|
+ attribute home_type;
|
||||||
')
|
')
|
||||||
|
|
||||||
typeattribute $2 $1_file_type;
|
- typeattribute $2 $1_file_type;
|
||||||
- files_type($2)
|
- files_type($2)
|
||||||
|
+ typeattribute $2 user_file_type;
|
||||||
+ typeattribute $2 user_home_type;
|
+ typeattribute $2 user_home_type;
|
||||||
+ typeattribute $2 home_type;
|
+ typeattribute $2 home_type;
|
||||||
+ files_poly_member($2)
|
+ files_poly_member($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1822,11 +1902,11 @@
|
@@ -1822,11 +1901,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_search_user_home_dirs',`
|
template(`userdom_search_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33499,7 +33532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1856,11 +1936,11 @@
|
@@ -1856,11 +1935,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_list_user_home_dirs',`
|
template(`userdom_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33513,7 +33546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1904,12 +1984,12 @@
|
@@ -1904,12 +1983,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_domtrans',`
|
template(`userdom_user_home_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33529,7 +33562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1939,10 +2019,11 @@
|
@@ -1939,10 +2018,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_list_user_home_dirs',`
|
template(`userdom_dontaudit_list_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33543,7 +33576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -1974,11 +2055,47 @@
|
@@ -1974,11 +2054,47 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_dirs',`
|
template(`userdom_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33593,7 +33626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2010,10 +2127,10 @@
|
@@ -2010,10 +2126,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
template(`userdom_dontaudit_setattr_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33606,7 +33639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2043,11 +2160,11 @@
|
@@ -2043,11 +2159,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_home_content_files',`
|
template(`userdom_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33620,7 +33653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2077,11 +2194,11 @@
|
@@ -2077,11 +2193,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_read_user_home_content_files',`
|
template(`userdom_dontaudit_read_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33635,7 +33668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2111,10 +2228,14 @@
|
@@ -2111,10 +2227,14 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_write_user_home_content_files',`
|
template(`userdom_dontaudit_write_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33652,7 +33685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2144,11 +2265,11 @@
|
@@ -2144,11 +2264,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_home_content_symlinks',`
|
template(`userdom_read_user_home_content_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33666,7 +33699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2178,11 +2299,11 @@
|
@@ -2178,11 +2298,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_exec_user_home_content_files',`
|
template(`userdom_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33680,7 +33713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2212,10 +2333,10 @@
|
@@ -2212,10 +2332,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_exec_user_home_content_files',`
|
template(`userdom_dontaudit_exec_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33693,7 +33726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2247,12 +2368,12 @@
|
@@ -2247,12 +2367,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_files',`
|
template(`userdom_manage_user_home_content_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33709,7 +33742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2284,10 +2405,10 @@
|
@@ -2284,10 +2404,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
template(`userdom_dontaudit_manage_user_home_content_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33722,7 +33755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2319,12 +2440,12 @@
|
@@ -2319,12 +2439,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_symlinks',`
|
template(`userdom_manage_user_home_content_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33738,7 +33771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2356,12 +2477,12 @@
|
@@ -2356,12 +2476,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_pipes',`
|
template(`userdom_manage_user_home_content_pipes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33754,7 +33787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2393,12 +2514,12 @@
|
@@ -2393,12 +2513,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_home_content_sockets',`
|
template(`userdom_manage_user_home_content_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33770,7 +33803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2443,11 +2564,11 @@
|
@@ -2443,11 +2563,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_dir_filetrans',`
|
template(`userdom_user_home_dir_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33784,7 +33817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2492,11 +2613,11 @@
|
@@ -2492,11 +2612,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_content_filetrans',`
|
template(`userdom_user_home_content_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33798,7 +33831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2536,11 +2657,11 @@
|
@@ -2536,11 +2656,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
template(`userdom_user_home_dir_filetrans_user_home_content',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33812,7 +33845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2570,11 +2691,11 @@
|
@@ -2570,11 +2690,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_write_user_tmp_sockets',`
|
template(`userdom_write_user_tmp_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33826,7 +33859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2604,11 +2725,11 @@
|
@@ -2604,11 +2724,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_list_user_tmp',`
|
template(`userdom_list_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33840,7 +33873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2640,10 +2761,10 @@
|
@@ -2640,10 +2760,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_list_user_tmp',`
|
template(`userdom_dontaudit_list_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33853,7 +33886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2675,10 +2796,10 @@
|
@@ -2675,10 +2795,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
template(`userdom_dontaudit_manage_user_tmp_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33866,7 +33899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2708,12 +2829,12 @@
|
@@ -2708,12 +2828,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_tmp_files',`
|
template(`userdom_read_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33882,7 +33915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2745,10 +2866,10 @@
|
@@ -2745,10 +2865,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_read_user_tmp_files',`
|
template(`userdom_dontaudit_read_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33895,7 +33928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2780,10 +2901,10 @@
|
@@ -2780,10 +2900,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_append_user_tmp_files',`
|
template(`userdom_dontaudit_append_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33908,7 +33941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2813,12 +2934,12 @@
|
@@ -2813,12 +2933,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_rw_user_tmp_files',`
|
template(`userdom_rw_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33924,7 +33957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2850,10 +2971,10 @@
|
@@ -2850,10 +2970,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_dontaudit_manage_user_tmp_files',`
|
template(`userdom_dontaudit_manage_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33937,7 +33970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2885,12 +3006,12 @@
|
@@ -2885,12 +3005,12 @@
|
||||||
#
|
#
|
||||||
template(`userdom_read_user_tmp_symlinks',`
|
template(`userdom_read_user_tmp_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33953,7 +33986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2922,11 +3043,11 @@
|
@@ -2922,11 +3042,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_dirs',`
|
template(`userdom_manage_user_tmp_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33967,7 +34000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2958,11 +3079,11 @@
|
@@ -2958,11 +3078,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_files',`
|
template(`userdom_manage_user_tmp_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33981,7 +34014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -2994,11 +3115,11 @@
|
@@ -2994,11 +3114,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_symlinks',`
|
template(`userdom_manage_user_tmp_symlinks',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -33995,7 +34028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3030,11 +3151,11 @@
|
@@ -3030,11 +3150,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_pipes',`
|
template(`userdom_manage_user_tmp_pipes',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -34009,7 +34042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3066,11 +3187,11 @@
|
@@ -3066,11 +3186,11 @@
|
||||||
#
|
#
|
||||||
template(`userdom_manage_user_tmp_sockets',`
|
template(`userdom_manage_user_tmp_sockets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -34023,7 +34056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -3115,10 +3236,10 @@
|
@@ -3115,10 +3235,10 @@
|
||||||
#
|
#
|
||||||
template(`userdom_user_tmp_filetrans',`
|
template(`userdom_user_tmp_filetrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -34036,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
files_search_tmp($2)
|
files_search_tmp($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -3159,19 +3280,19 @@
|
@@ -3159,19 +3279,19 @@
|
||||||
#
|
#
|
||||||
template(`userdom_tmp_filetrans_user_tmp',`
|
template(`userdom_tmp_filetrans_user_tmp',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -34060,7 +34093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## </p>
|
## </p>
|
||||||
## <p>
|
## <p>
|
||||||
## This is a templated interface, and should only
|
## This is a templated interface, and should only
|
||||||
@@ -4597,11 +4718,11 @@
|
@@ -4597,11 +4717,11 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_search_all_users_home_dirs',`
|
interface(`userdom_search_all_users_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -34074,10 +34107,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4621,6 +4742,14 @@
|
@@ -4621,7 +4741,15 @@
|
||||||
|
|
||||||
files_list_home($1)
|
files_list_home($1)
|
||||||
allow $1 home_dir_type:dir list_dir_perms;
|
allow $1 home_dir_type:dir list_dir_perms;
|
||||||
|
-')
|
||||||
+
|
+
|
||||||
+ tunable_policy(`use_nfs_home_dirs',`
|
+ tunable_policy(`use_nfs_home_dirs',`
|
||||||
+ fs_list_nfs($1)
|
+ fs_list_nfs($1)
|
||||||
@ -34086,10 +34120,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+ tunable_policy(`use_samba_home_dirs',`
|
+ tunable_policy(`use_samba_home_dirs',`
|
||||||
+ fs_list_cifs($1)
|
+ fs_list_cifs($1)
|
||||||
+ ')
|
+ ')
|
||||||
')
|
+')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -4702,6 +4831,25 @@
|
## <summary>
|
||||||
|
@@ -4702,6 +4830,25 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34115,7 +34150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Create, read, write, and delete all files
|
## Create, read, write, and delete all files
|
||||||
## in all users home directories.
|
## in all users home directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -4927,7 +5075,7 @@
|
@@ -4927,7 +5074,7 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34124,7 +34159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@@ -5299,6 +5447,42 @@
|
@@ -5299,6 +5446,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34167,7 +34202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Read and write unprivileged user ttys.
|
## Read and write unprivileged user ttys.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5349,7 +5533,7 @@
|
@@ -5349,7 +5532,7 @@
|
||||||
attribute userdomain;
|
attribute userdomain;
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -34176,7 +34211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
kernel_search_proc($1)
|
kernel_search_proc($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -5464,6 +5648,42 @@
|
@@ -5464,6 +5647,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34219,7 +34254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5494,3 +5714,521 @@
|
@@ -5494,3 +5713,521 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user