MCS fixes

quota fixes
This commit is contained in:
Dan Walsh 2011-11-04 16:10:54 -04:00
parent 55e8d8e7cf
commit c30a9b8718
3 changed files with 515 additions and 555 deletions

View File

@ -1,6 +1,6 @@
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem serefpolicy-3.10.0/policy/modules/admin/rpm.te
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem 2011-11-02 16:19:54.192885000 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-02 16:19:58.603545000 -0400
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem 2011-11-04 16:05:06.562601281 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-04 16:05:07.166602835 -0400
@@ -419,14 +419,6 @@ optional_policy(`
unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
@ -17,8 +17,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.execmem serefpolicy-3.10
optional_policy(`
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.fc
--- serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem 2011-11-02 16:19:54.370885000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.fc 2011-11-02 16:19:58.609541000 -0400
--- serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem 2011-11-04 16:05:06.586601343 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.fc 2011-11-04 16:05:07.167602836 -0400
@@ -47,3 +47,56 @@ ifdef(`distro_gentoo',`
/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
@ -77,16 +77,24 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.fc.execmem serefpolicy-3
+/usr/bin/gnatmake -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.if
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.execmem 2011-11-02 16:19:54.372890000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-02 16:19:58.615541000 -0400
@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.execmem 2011-11-04 16:05:06.587601346 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-04 16:05:24.164646504 -0400
@@ -57,6 +57,7 @@ template(`execmem_role_template',`
role $2 types $1_execmem_t;
userdom_unpriv_usertype($1, $1_execmem_t)
+ userdom_common_user($1_execmem_t)
userdom_manage_tmp_role($2, $1_execmem_t)
userdom_manage_tmpfs_role($2, $1_execmem_t)
@@ -129,4 +130,3 @@ interface(`execmem_execmod',`
allow $1 execmem_exec_t:file execmod;
')
-
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem serefpolicy-3.10.0/policy/modules/apps/execmem.te
--- serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem 2011-11-02 16:19:54.374890000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.te 2011-11-02 16:19:58.620541000 -0400
--- serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem 2011-11-04 16:05:06.587601346 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.te 2011-11-04 16:05:07.169602840 -0400
@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
#
# Declarations
@ -115,8 +123,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.te.execmem serefpolicy-3
+ nsplugin_rw_semaphores(execmem_type)
+')
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem 2011-11-02 16:19:54.533885000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-02 16:19:58.629541000 -0400
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem 2011-11-04 16:05:06.609601400 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-04 16:05:07.170602843 -0400
@@ -273,10 +273,6 @@ optional_policy(`
')
@ -139,7 +147,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.execmem serefpolicy-3
optional_policy(`
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.execmem serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.execmem 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-02 16:19:58.635560000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-04 16:05:07.171602846 -0400
@@ -85,5 +85,5 @@ optional_policy(`
')
@ -148,9 +156,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.execmem serefpolicy
+ execmem_exec(podsleuth_t)
')
diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem serefpolicy-3.10.0/policy/modules/roles/staff.te
--- serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem 2011-11-02 16:19:55.151799000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/staff.te 2011-11-02 16:19:58.642541000 -0400
@@ -262,10 +262,6 @@ ifndef(`distro_redhat',`
--- serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem 2011-11-04 16:05:06.684601595 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/staff.te 2011-11-04 16:05:07.172602849 -0400
@@ -266,10 +266,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -162,8 +170,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.execmem serefpolicy-3.
')
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem serefpolicy-3.10.0/policy/modules/roles/sysadm.te
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem 2011-11-02 16:19:55.158799000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-02 16:19:58.650541000 -0400
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem 2011-11-04 16:05:06.685601597 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 16:05:07.173602852 -0400
@@ -530,10 +530,6 @@ ifndef(`distro_redhat',`
')
@ -176,8 +184,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.execmem serefpolicy-3
')
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem 2011-11-02 16:19:58.593541000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-02 16:20:17.606179000 -0400
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem 2011-11-04 16:05:07.157602811 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-04 16:05:07.173602852 -0400
@@ -302,10 +302,6 @@ optional_policy(`
')
@ -204,9 +212,9 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.execmem seref
tunable_policy(`unconfined_mozilla_plugin_transition', `
diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem 2011-11-02 16:19:55.173799000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te 2011-11-02 16:19:58.666544000 -0400
@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem 2011-11-04 16:05:06.688601603 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te 2011-11-04 16:05:07.174602855 -0400
@@ -152,10 +152,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -218,8 +226,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.execmem serefpoli
')
diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem serefpolicy-3.10.0/policy/modules/roles/xguest.te
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem 2011-11-02 16:19:55.184799000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-02 16:19:58.674541000 -0400
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem 2011-11-04 16:05:06.690601610 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-04 16:05:07.175602857 -0400
@@ -107,14 +107,6 @@ optional_policy(`
')
@ -236,8 +244,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te.execmem serefpolicy-3
')
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem serefpolicy-3.10.0/policy/modules/services/boinc.te
--- serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem 2011-11-02 16:19:55.443799000 -0400
+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-02 16:19:58.679549000 -0400
--- serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem 2011-11-04 16:05:06.724601698 -0400
+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-04 16:05:07.176602859 -0400
@@ -170,5 +170,5 @@ miscfiles_read_fonts(boinc_project_t)
miscfiles_read_localization(boinc_project_t)
@ -246,8 +254,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.execmem serefpolicy
+ execmem_exec(boinc_project_t)
')
diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.execmem serefpolicy-3.10.0/policy/modules/services/cron.te
--- serefpolicy-3.10.0/policy/modules/services/cron.te.execmem 2011-11-02 16:19:55.743799000 -0400
+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-02 16:19:58.690541000 -0400
--- serefpolicy-3.10.0/policy/modules/services/cron.te.execmem 2011-11-04 16:05:06.764601800 -0400
+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-04 16:05:07.177602861 -0400
@@ -299,10 +299,6 @@ optional_policy(`
')
@ -283,8 +291,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.execmem serefpolicy-
nis_use_ypbind(cronjob_t)
')
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem serefpolicy-3.10.0/policy/modules/services/hadoop.if
--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem 2011-11-02 16:19:56.185713000 -0400
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-02 16:19:58.698541000 -0400
--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem 2011-11-04 16:05:06.825601957 -0400
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-04 16:05:07.178602863 -0400
@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
hadoop_exec_config(hadoop_$1_t)
@ -295,8 +303,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.execmem serefpolic
kerberos_use(hadoop_$1_t)
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem serefpolicy-3.10.0/policy/modules/services/hadoop.te
--- serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem 2011-11-02 16:19:56.193713000 -0400
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.te 2011-11-02 16:19:58.707541000 -0400
--- serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem 2011-11-04 16:05:06.826601961 -0400
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.te 2011-11-04 16:05:07.179602865 -0400
@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
userdom_use_inherited_user_terminals(hadoop_t)
@ -322,8 +330,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.te.execmem serefpolic
-java_exec(zookeeper_server_t)
+execmem_exec(zookeeper_server_t)
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem serefpolicy-3.10.0/policy/modules/services/xserver.te
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem 2011-11-02 16:19:57.848627000 -0400
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-02 16:19:58.744541000 -0400
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem 2011-11-04 16:05:07.050602537 -0400
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-04 16:05:07.181602872 -0400
@@ -1250,10 +1250,6 @@ optional_policy(`
')
@ -336,9 +344,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.execmem serefpoli
rhgb_rw_tmpfs_files(xserver_t)
')
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.execmem serefpolicy-3.10.0/policy/modules/system/init.te
--- serefpolicy-3.10.0/policy/modules/system/init.te.execmem 2011-11-02 16:19:58.044541000 -0400
+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-02 16:19:58.757543000 -0400
@@ -1191,10 +1191,6 @@ optional_policy(`
--- serefpolicy-3.10.0/policy/modules/system/init.te.execmem 2011-11-04 16:05:07.073602594 -0400
+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-04 16:05:07.182602876 -0400
@@ -1196,10 +1196,6 @@ optional_policy(`
unconfined_dontaudit_rw_pipes(daemon)
')
@ -350,8 +358,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.execmem serefpolicy-3.
rpm_transition_script(initrc_t)
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem serefpolicy-3.10.0/policy/modules/system/userdomain.if
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem 2011-11-02 16:19:58.435541000 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-02 16:19:58.796541000 -0400
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem 2011-11-04 16:05:07.118602710 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 16:05:07.187602887 -0400
@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template',
')
@ -367,19 +375,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.execmem serefpol
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)
')
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if~ serefpolicy-3.10.0/policy/modules/system/userdomain.if
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if~ 2011-11-04 13:31:34.537348883 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 15:02:50.404128186 -0400
@@ -84,7 +84,7 @@ template(`userdom_base_user_template',`
## The user domain
## </summary>
## </param>
-## <rolebase/>
+>## <rolebase/>
#
interface(`userdom_ro_home_role',`
gen_require(`
@@ -4705,3 +4705,39 @@ interface(`userdom_rw_unpriv_user_semaph
@@ -5013,3 +5005,39 @@ interface(`userdom_rw_unpriv_user_semaph
allow $1 unpriv_userdomain:sem rw_sem_perms;
')
@ -419,38 +415,3 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if~ serefpolicy-3.1
+
+ typeattribute $1 common_userdomain;
+')
diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te~ serefpolicy-3.10.0/policy/modules/roles/staff.te
--- serefpolicy-3.10.0/policy/modules/roles/staff.te~ 2011-11-04 15:03:32.518287238 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/staff.te 2011-11-04 15:34:10.747481773 -0400
@@ -329,3 +329,5 @@ ifndef(`distro_redhat',`
tunable_policy(`allow_execmod',`
userdom_execmod_user_home_files(staff_usertype)
')
+
+userdom_common_user(staff_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te~ serefpolicy-3.10.0/policy/modules/roles/sysadm.te
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te~ 2011-11-04 15:03:32.812288344 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 15:35:11.552671224 -0400
@@ -583,3 +583,5 @@ ifndef(`distro_redhat',`
xserver_role(sysadm_r, sysadm_t)
')
')
+
+userdom_common_user(sysadm_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te~ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te~ 2011-11-04 15:03:32.521287248 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te 2011-11-04 15:34:20.887513436 -0400
@@ -220,3 +220,4 @@ ifndef(`distro_redhat',`
')
')
+userdom_common_user(user_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te~ serefpolicy-3.10.0/policy/modules/roles/xguest.te
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te~ 2011-11-04 15:03:32.522287252 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-04 15:34:52.250611193 -0400
@@ -178,3 +178,5 @@ optional_policy(`
')
gen_user(xguest_u, user, xguest_r, s0, s0)
+
+userdom_common_user(xguest_execmem_t)

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-10-24 13:26:35.236337023 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-10-24 13:26:35.756337065 -0400
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-11-04 16:05:53.310721291 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-11-04 16:05:53.930722881 -0400
@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
role $2 types useradd_t;
@ -11,8 +11,8 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefp
seutil_run_semanage(useradd_t, $2)
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-10-24 13:26:35.711337061 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-24 13:26:35.757337065 -0400
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-11-04 16:05:53.876722742 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-04 16:05:53.931722884 -0400
@@ -517,7 +517,7 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@ -23,20 +23,20 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefp
mta_manage_spool(useradd_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-10-24 13:26:35.736337064 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-24 13:26:35.757337065 -0400
@@ -57,8 +57,6 @@ template(`execmem_role_template',`
role $2 types $1_execmem_t;
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-11-04 16:05:53.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-04 16:06:10.897766368 -0400
@@ -58,8 +58,6 @@ template(`execmem_role_template',`
userdom_unpriv_usertype($1, $1_execmem_t)
userdom_common_user($1_execmem_t)
- userdom_manage_tmp_role($2, $1_execmem_t)
- userdom_manage_tmpfs_role($2, $1_execmem_t)
allow $1_execmem_t self:process { execmem execstack };
allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-10-24 13:26:35.255337024 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-24 13:26:35.758337065 -0400
--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-11-04 16:05:53.331721346 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-11-04 16:05:53.933722889 -0400
@@ -73,7 +73,8 @@ template(`java_role_template',`
domain_interactive_fd($1_java_t)
@ -48,8 +48,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-10-24 13:26:35.261337025 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-24 13:26:35.759337065 -0400
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-11-04 16:05:53.338721365 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-04 16:05:53.934722892 -0400
@@ -49,7 +49,8 @@ template(`mono_role_template',`
corecmd_bin_domtrans($1_mono_t, $1_t)
@ -61,8 +61,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3
optional_policy(`
xserver_role($1_r, $1_mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-10-24 13:26:35.262337026 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-24 13:26:35.760337065 -0400
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-11-04 16:05:53.340721370 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-04 16:05:53.935722894 -0400
@@ -51,7 +51,7 @@ interface(`mozilla_role',`
mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
@ -73,8 +73,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolic
optional_policy(`
nsplugin_role($1, mozilla_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-10-24 13:26:35.267337026 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-24 13:26:35.762337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-11-04 16:05:53.345721381 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-04 16:05:53.936722896 -0400
@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
userdom_use_inherited_user_terminals(nsplugin_t)
userdom_use_inherited_user_terminals(nsplugin_config_t)
@ -85,8 +85,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpoli
optional_policy(`
pulseaudio_role($1, nsplugin_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-10-24 13:26:35.267337026 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-24 13:26:35.763337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-11-04 16:05:53.346721384 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-04 16:05:53.937722899 -0400
@@ -281,6 +281,7 @@ userdom_search_user_home_content(nsplugi
userdom_read_user_home_content_symlinks(nsplugin_config_t)
userdom_read_user_home_content_files(nsplugin_config_t)
@ -96,8 +96,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpoli
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(nsplugin_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-10-24 13:26:35.270337026 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-10-24 13:26:35.763337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-11-04 16:05:53.350721394 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-11-04 16:05:53.937722899 -0400
@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
@ -112,8 +112,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpo
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-10-24 13:26:35.271337026 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-10-24 13:26:35.764337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-11-04 16:05:53.350721394 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-11-04 16:05:53.938722902 -0400
@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@ -126,8 +126,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpo
alsa_read_rw_config(pulseaudio_t)
')
diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-10-24 13:26:35.285337027 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-10-24 13:26:35.765337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-11-04 16:05:53.368721439 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-11-04 16:05:53.939722905 -0400
@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
auth_use_pam($1_consolehelper_t)
@ -138,8 +138,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpo
optional_policy(`
dbus_connect_session_bus($1_consolehelper_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-10-24 13:26:35.285337027 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-10-24 13:26:35.766337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-11-04 16:05:53.369721443 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-11-04 16:05:53.940722908 -0400
@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
userdom_use_user_ptys(consolehelper_domain)
userdom_use_user_ttys(consolehelper_domain)
@ -149,8 +149,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpo
optional_policy(`
gnome_read_gconf_home_files(consolehelper_domain)
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-10-24 13:26:35.289337027 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-24 13:26:35.766337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-11-04 16:05:53.374721456 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-04 16:05:53.940722908 -0400
@@ -105,7 +105,8 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
@ -162,8 +162,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3
domain_mmap_low($1_wine_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-10-24 13:26:35.291337027 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-10-24 13:26:35.767337066 -0400
--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-11-04 16:05:53.376721460 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-11-04 16:05:53.941722910 -0400
@@ -77,9 +77,13 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@ -182,8 +182,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.1
optional_policy(`
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-10-24 13:26:35.739337064 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-24 13:26:35.768337066 -0400
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-11-04 16:05:53.907722823 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-04 16:05:53.942722912 -0400
@@ -61,7 +61,8 @@ sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
@ -195,8 +195,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolic
optional_policy(`
alsa_filetrans_named_content(sysadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-10-24 13:26:35.740337064 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-10-24 13:26:35.777337067 -0400
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-11-04 16:05:53.908722825 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-04 16:05:53.943722914 -0400
@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
# calls is not correct, however we dont currently
# have another method to add access to these types
@ -213,7 +213,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain se
userdom_unpriv_usertype(unconfined, unconfined_t)
type unconfined_exec_t;
@@ -347,9 +350,13 @@ optional_policy(`
@@ -309,9 +312,13 @@ optional_policy(`
lpd_run_checkpc(unconfined_t, unconfined_r)
')
@ -231,8 +231,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain se
optional_policy(`
modutils_run_update_mods(unconfined_t, unconfined_r)
diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-10-24 13:26:35.572337050 -0400
+++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-10-24 13:26:35.769337066 -0400
--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-11-04 16:05:53.712722323 -0400
+++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-11-04 16:05:53.944722916 -0400
@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
@ -243,8 +243,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpoli
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-10-24 13:26:35.601337052 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-24 13:26:35.770337066 -0400
--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-11-04 16:05:53.743722402 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-04 16:05:53.945722918 -0400
@@ -380,7 +380,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
@ -255,8 +255,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolic
##############################
#
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-10-24 13:26:35.602337053 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-10-24 13:26:35.771337066 -0400
--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-11-04 16:05:53.744722405 -0400
+++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-11-04 16:05:53.946722921 -0400
@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
@ -275,9 +275,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolic
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-10-24 13:26:35.603337053 -0400
+++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-10-24 13:26:35.772337066 -0400
@@ -93,7 +93,7 @@ miscfiles_read_generic_certs(sssd_t)
--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-11-04 16:05:53.746722410 -0400
+++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-11-04 16:05:53.947722925 -0400
@@ -97,7 +97,7 @@ miscfiles_read_generic_certs(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
@ -287,9 +287,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpoli
optional_policy(`
dbus_system_bus_client(sssd_t)
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-10-24 13:26:35.746337064 -0400
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-24 13:26:35.773337067 -0400
@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-11-04 16:05:53.915722843 -0400
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-04 16:05:53.948722929 -0400
@@ -672,7 +672,7 @@ userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_files(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
@ -299,8 +299,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefp
application_signal(xdm_t)
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-10-24 13:26:35.749337065 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-24 13:27:29.940341512 -0400
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-11-04 16:05:53.920722856 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-04 16:05:53.951722936 -0400
@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
@ -988,7 +988,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain seref
##############################
#
# Local policy
@@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',`
@@ -3965,6 +3653,10 @@ template(`userdom_unpriv_usertype',`
auth_use_nsswitch($2)
ubac_constrained($2)
@ -1000,8 +1000,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain seref
########################################
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-10-24 13:26:35.691337060 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-10-24 13:26:35.776337067 -0400
--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-11-04 16:05:53.852722681 -0400
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-11-04 16:05:53.953722940 -0400
@@ -69,6 +69,8 @@ attribute userdomain;
# unprivileged user domains