##
@@ -29482,7 +29580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
## This template creates a user domain, types, and
-@@ -954,8 +1007,8 @@
+@@ -954,8 +1008,8 @@
# Declarations
#
@@ -29492,7 +29590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -964,11 +1017,12 @@
+@@ -964,11 +1018,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -29507,7 +29605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1040,47 @@
+@@ -986,37 +1041,47 @@
')
')
@@ -29568,7 +29666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -1050,7 +1114,7 @@
+@@ -1050,7 +1115,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -29577,7 +29675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1123,7 @@
+@@ -1059,8 +1124,7 @@
#
# Inherit rules for ordinary users.
@@ -29587,7 +29685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1146,8 @@
+@@ -1083,7 +1147,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -29597,7 +29695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1163,7 @@
+@@ -1099,6 +1164,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -29605,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1171,6 @@
+@@ -1106,8 +1172,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -29614,7 +29712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1225,6 @@
+@@ -1162,20 +1226,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29635,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1270,7 @@
+@@ -1221,6 +1271,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29643,7 +29741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1336,15 @@
+@@ -1286,11 +1337,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -29659,7 +29757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1441,7 @@
+@@ -1387,7 +1442,7 @@
########################################
##
@@ -29668,7 +29766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1420,6 +1474,14 @@
+@@ -1420,6 +1475,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -29683,7 +29781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1497,11 @@
+@@ -1435,9 +1498,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -29695,7 +29793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1558,25 @@
+@@ -1494,6 +1559,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -29721,7 +29819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1547,9 +1630,9 @@
+@@ -1547,9 +1631,9 @@
type user_home_dir_t, user_home_t;
')
@@ -29733,7 +29831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1568,6 +1651,8 @@
+@@ -1568,6 +1652,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -29742,7 +29840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1728,7 @@
+@@ -1643,6 +1729,7 @@
type user_home_dir_t, user_home_t;
')
@@ -29750,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1827,62 @@
+@@ -1741,6 +1828,62 @@
########################################
##
@@ -29813,7 +29911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute user home files.
##
##
-@@ -1757,14 +1899,6 @@
+@@ -1757,14 +1900,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -29828,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1921,46 @@
+@@ -1787,6 +1922,46 @@
########################################
##
@@ -29875,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
##
-@@ -1799,6 +1973,7 @@
+@@ -1799,6 +1974,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -29883,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -1921,7 +2096,7 @@
+@@ -1921,7 +2097,7 @@
########################################
##
@@ -29892,7 +29990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## with an automatic type transition to
## a specified private type.
##
-@@ -1941,28 +2116,58 @@
+@@ -1941,28 +2117,58 @@
##
##
#
@@ -29958,10 +30056,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
## The class of the object to be created.
##
-@@ -2819,6 +3024,24 @@
+@@ -2814,7 +3020,43 @@
+ type user_tmp_t;
+ ')
- ########################################
- ##
+- allow $1 user_tmp_t:file write_file_perms;
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++##
++## Write all users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_write_user_tmp_dirs',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ write_files_pattern($1, user_tmp_t, user_tmp_t)
++')
++
++########################################
++##
+## Delete all users files in /tmp
+##
+##
@@ -29976,14 +30098,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ allow $1 user_tmp_t:file delete_file_perms;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to use user ttys.
- ##
- ##
-@@ -2851,6 +3074,7 @@
+ ')
+
+ ########################################
+@@ -2851,6 +3093,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -29991,7 +30109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2965,6 +3189,24 @@
+@@ -2965,6 +3208,24 @@
########################################
##
@@ -30016,7 +30134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
##
##
-@@ -2981,3 +3223,313 @@
+@@ -2981,3 +3242,313 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 76c74c48..2e7040c0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.4
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@ exit 0
%endif
%changelog
+* Thu Feb 5 2009 Dan Walsh 3.6.4-4
+- Fix staff_t domain
+
* Thu Feb 5 2009 Dan Walsh 3.6.4-3
- Grab remainder of network_peer_controls patch