- Add boolean to disallow unconfined_t login

This commit is contained in:
Daniel J Walsh 2009-02-03 20:23:12 +00:00
parent 574cab47f1
commit bc2add3885

View File

@ -2875,7 +2875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-03 10:55:18.000000000 -0500
@@ -0,0 +1,288 @@
+
+policy_module(nsplugin, 1.0.0)
@ -2897,7 +2897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, True)
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
@ -12453,7 +12453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.3/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dnsmasq.te 2009-02-03 14:14:11.000000000 -0500
@@ -69,21 +69,22 @@
# allow access to dnsmasq.conf
@ -12480,6 +12480,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -96,4 +97,5 @@
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.3/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dovecot.fc 2009-01-19 13:10:02.000000000 -0500
@ -13022,7 +13028,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.3/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ftp.te 2009-02-03 11:10:55.000000000 -0500
@@ -26,7 +26,7 @@
## <desc>
## <p>
## Allow ftp servers to use cifs
-## used for public file transfer services.
+## for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_cifs, false)
@@ -34,7 +34,7 @@
## <desc>
## <p>
## Allow ftp servers to use nfs
-## used for public file transfer services.
+## for public file transfer services.
## </p>
## </desc>
gen_tunable(allow_ftpd_use_nfs, false)
@@ -160,6 +160,7 @@
fs_search_auto_mountpoints(ftpd_t)
@ -22512,7 +22536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:30:42.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-02-03 14:14:04.000000000 -0500
@@ -293,6 +293,41 @@
########################################
@ -23335,7 +23359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-03 10:52:31.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@ -23735,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
@@ -550,9 +651,11 @@
@@ -550,8 +651,9 @@
')
optional_policy(`
@ -23745,11 +23769,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ unconfined_signal(xdm_t)
+')
+optional_policy(`
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -560,7 +662,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -571,6 +674,10 @@
-')
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
@@ -571,6 +672,10 @@
')
optional_policy(`
@ -23760,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
@@ -587,7 +694,7 @@
@@ -587,7 +692,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -23769,7 +23799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
@@ -602,9 +709,11 @@
@@ -602,9 +707,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -23781,7 +23811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
@@ -622,7 +731,7 @@
@@ -622,7 +729,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@ -23790,7 +23820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,6 +744,15 @@
@@ -635,6 +742,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -23806,7 +23836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
@@ -680,9 +798,14 @@
@@ -680,9 +796,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@ -23821,7 +23851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
@@ -697,8 +820,13 @@
@@ -697,8 +818,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -23835,7 +23865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -720,6 +848,7 @@
@@ -720,6 +846,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@ -23843,7 +23873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
@@ -742,7 +871,7 @@
@@ -742,7 +869,7 @@
')
ifdef(`enable_mls',`
@ -23852,7 +23882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
@@ -774,6 +903,10 @@
@@ -774,6 +901,10 @@
')
optional_policy(`
@ -23863,7 +23893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
@@ -806,7 +939,7 @@
@@ -806,7 +937,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@ -23872,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -827,9 +960,14 @@
@@ -827,9 +958,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -23887,7 +23917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@@ -844,11 +982,14 @@
@@ -844,11 +980,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -856,6 +997,11 @@
@@ -856,6 +995,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@ -23915,7 +23945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules common to all X window domains
@@ -881,6 +1027,8 @@
@@ -881,6 +1025,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@ -23924,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
@@ -905,6 +1053,8 @@
@@ -905,6 +1051,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23933,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
@@ -972,6 +1122,37 @@
@@ -972,6 +1120,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -23971,7 +24001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
@@ -986,3 +1167,12 @@
@@ -986,3 +1165,12 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@ -24810,7 +24840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-28 09:55:56.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-02-03 14:13:10.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@ -24988,7 +25018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_search_admin_dir(daemon)
+userdom_dontaudit_list_admin_dir(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
@ -25292,7 +25322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-01-26 13:53:03.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/libraries.fc 2009-02-03 14:11:21.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@ -25322,7 +25352,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -115,9 +119,17 @@
@@ -103,6 +107,7 @@
#
/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -115,9 +120,17 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25340,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -127,12 +139,14 @@
@@ -127,12 +140,14 @@
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25355,7 +25393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -168,7 +182,8 @@
@@ -168,7 +183,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25365,7 +25403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -187,6 +202,7 @@
@@ -187,6 +203,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25373,7 +25411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -246,12 +262,13 @@
@@ -246,12 +263,13 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25389,7 +25427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -267,6 +284,9 @@
@@ -267,6 +285,9 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25399,7 +25437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -291,6 +311,8 @@
@@ -291,6 +312,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -25408,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
@@ -303,6 +325,8 @@
@@ -303,6 +326,8 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@ -25417,7 +25455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -310,3 +334,20 @@
@@ -310,3 +335,20 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -27721,7 +27759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-03 10:47:05.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@ -27784,14 +27822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
interface(`unconfined_shell_domtrans',`
gen_require(`
- type unconfined_t;
+ type unconfined_login_domain;
+ attribute unconfined_login_domain;
')
-
- corecmd_shell_domtrans($1,unconfined_t)
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
+ typeattribute $1 unconfined_login_domain
+ typeattribute $1 unconfined_login_domain;
')
########################################
@ -27973,7 +28011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-03 15:14:47.000000000 -0500
@@ -5,36 +5,86 @@
#
# Declarations
@ -28068,7 +28106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -42,26 +92,39 @@
@@ -42,26 +92,46 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@ -28084,6 +28122,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ nsplugin_role_notrans(unconfined_r, unconfined_t)
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
@ -28110,7 +28155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -102,12 +165,24 @@
@@ -102,12 +172,24 @@
')
optional_policy(`
@ -28135,7 +28180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -119,31 +194,33 @@
@@ -119,31 +201,33 @@
')
optional_policy(`
@ -28176,7 +28221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -155,36 +232,38 @@
@@ -155,36 +239,38 @@
')
optional_policy(`
@ -28227,7 +28272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -192,7 +271,7 @@
@@ -192,7 +278,7 @@
')
optional_policy(`
@ -28236,7 +28281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -204,11 +283,12 @@
@@ -204,11 +290,12 @@
')
optional_policy(`
@ -28251,7 +28296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -218,14 +298,68 @@
@@ -218,14 +305,61 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@ -28276,7 +28321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ xserver_rw_shm(unconfined_execmem_t)
+')
')
+
+########################################
+#
@ -28295,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
')
+')
+
+optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@ -28314,13 +28359,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500