- Allow iptables to talk to terminals

policy-20081111.patch

@@ -21556,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-03 09:10:20.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/authlogin.if	2008-12-04 14:13:34.000000000 -0500
 @@ -43,6 +43,7 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
@@ -21601,13 +21601,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	init_rw_utmp($1)
  
-@@ -100,8 +117,39 @@
+@@ -100,8 +117,40 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
 +	userdom_set_rlimitnh($1)
 +	userdom_read_user_home_content_symlinks($1)
 +	userdom_delete_user_tmp_files($1)
++	userdom_search_admin_dir($1)
 +
 +	optional_policy(`
 +		dbus_system_bus_client($1)
@@ -21641,7 +21642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -207,19 +255,16 @@
+@@ -207,19 +256,16 @@
  	dev_read_rand($1)
  	dev_read_urand($1)
  
@@ -21666,7 +21667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -230,6 +275,29 @@
+@@ -230,6 +276,29 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -21696,7 +21697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -254,6 +322,7 @@
+@@ -254,6 +323,7 @@
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -21704,7 +21705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1031,6 +1100,32 @@
+@@ -1031,6 +1101,32 @@
  
  ########################################
  ## <summary>
@@ -21737,7 +21738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Manage all files on the filesystem, except
  ##	the shadow passwords and listed exceptions.
  ## </summary>
-@@ -1297,6 +1392,10 @@
+@@ -1297,6 +1393,10 @@
  	')
  
  	optional_policy(`
@@ -21748,7 +21749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		nis_use_ypbind($1)
  	')
  
-@@ -1307,6 +1406,7 @@
+@@ -1307,6 +1407,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -21756,7 +21757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1341,3 +1441,61 @@
+@@ -1341,3 +1442,61 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -25462,7 +25463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-04 13:27:59.000000000 -0500
++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-04 14:28:00.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -25714,10 +25715,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	gen_require(`
 -		type $1_t;
 -	')
--
++interface(`userdom_basic_networking',`
+ 
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++	allow $1 self:tcp_socket create_stream_socket_perms;
++	allow $1 self:udp_socket create_socket_perms;
  
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@@ -25729,9 +25732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
-+	allow $1 self:tcp_socket create_stream_socket_perms;
+-
-+	allow $1 self:udp_socket create_socket_perms;
- 
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@@ -25848,26 +25849,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
--
--	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
  
--	corenet_udp_bind_all_nodes($1_t)
+-	corecmd_exec_bin($1_t)
--	corenet_udp_bind_generic_port($1_t)
 +	corenet_udp_bind_all_nodes($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	dev_read_rand($1_t)
+-	corenet_udp_bind_all_nodes($1_t)
--	dev_write_sound($1_t)
+-	corenet_udp_bind_generic_port($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -26066,16 +26067,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
 +			postgresql_stream_connect($1_usertype)
-+		')
  		')
-+
-+	optional_policy(`
-+		# to allow monitoring of pcmcia status
-+		pcmcia_read_pid($1_usertype)
  	')
  
  	optional_policy(`
 -		resmgr_stream_connect($1_t)
++		# to allow monitoring of pcmcia status
++		pcmcia_read_pid($1_usertype)
++	')
++
++	optional_policy(`
 +		pcscd_read_pub_files($1_usertype)
 +		pcscd_stream_connect($1_usertype)
  	')
@@ -26111,19 +26112,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_change_password_template($1)
-+
-+	userdom_manage_home_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
-+	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_home_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_exec_user_tmp_files($1_t)
 -	userdom_exec_user_home_content_files($1_t)
-+	gen_tunable(allow_$1_exec_content, true)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_change_password_template($1)
++	gen_tunable(allow_$1_exec_content, true)
++
 +	tunable_policy(`allow_$1_exec_content',`
 +		userdom_exec_user_tmp_files($1_usertype)
 +		userdom_exec_user_home_content_files($1_usertype)
@@ -26288,11 +26289,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
 +	auth_search_pam_console_data($1_usertype)
-+
-+	xserver_role($1_r, $1_t)
  
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
++	xserver_role($1_r, $1_t)
++
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
  	# gnome keyring wants to read this.
@@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -2981,3 +3172,245 @@
+@@ -2981,3 +3172,262 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -26931,6 +26932,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +')
++########################################
++## <summary>
++##	dontaudit list /root
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_list_admin_dir',`
++	gen_require(`
++		type admin_home_t;
++	')
++
++	dontaudit $1 admin_home_t:dir list_dir_perms;
++')
 +
 +########################################
 +## <summary>

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-6
+- Allow iptables to talk to terminals
+
 * Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5
 - Allow iptables to talk to terminals