From d854f4fd5f4d57b3f38b77d3e06fb1b3c0101a6d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 3 Apr 2009 21:25:59 +0000 Subject: [PATCH] - Allow podsleuth to use tmpfs files --- policy-20090105.patch | 279 +++++++++++++++++++++++++++++------------- 1 file changed, 191 insertions(+), 88 deletions(-) diff --git a/policy-20090105.patch b/policy-20090105.patch index 0492ab9d..65725e90 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1680,7 +1680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.10/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/gnome.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/apps/gnome.if 2009-04-03 17:09:33.000000000 -0400 @@ -89,5 +89,154 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -2843,8 +2843,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.10/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.te 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,288 @@ ++++ serefpolicy-3.6.10/policy/modules/apps/nsplugin.te 2009-04-03 17:12:08.000000000 -0400 +@@ -0,0 +1,292 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3129,6 +3129,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ pulseaudio_stream_connect(nsplugin_t) ++') ++ ++optional_policy(` + unconfined_execmem_exec(nsplugin_t) +') + @@ -3300,14 +3304,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.10/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.te 2009-03-30 10:09:41.000000000 -0400 -@@ -11,21 +11,59 @@ ++++ serefpolicy-3.6.10/policy/modules/apps/podsleuth.te 2009-04-03 16:33:08.000000000 -0400 +@@ -11,21 +11,68 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; +type podsleuth_tmp_t; +files_tmp_file(podsleuth_tmp_t) + ++type podsleuth_tmpfs_t; ++files_tmpfs_file(podsleuth_tmpfs_t) ++ubac_constrained(podsleuth_tmpfs_t) ++ +type podsleuth_cache_t; +files_type(podsleuth_cache_t) + @@ -3352,6 +3360,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) +manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) + ++manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) ++manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) ++manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) ++fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) ++ +manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) +files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) @@ -3371,8 +3384,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,105 @@ ++++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.if 2009-04-03 17:24:36.000000000 -0400 +@@ -0,0 +1,147 @@ + +## policy for pulseaudio + @@ -3476,12 +3489,54 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_manage_home_role($1, pulseaudio_t) + userdom_manage_tmp_role($1, pulseaudio_t) + userdom_manage_tmpfs_role($1, pulseaudio_t) ++ ++ allow $2 pulseaudio_t:dbus send_msg; ++ allow pulseaudio_t $2:dbus send_msg; +') + ++######################################## ++## ++## Send and receive messages from ++## pulseaudio over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pulseaudio_dbus_chat',` ++ gen_require(` ++ type pulseaudio_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 pulseaudio_t:dbus send_msg; ++ allow pulseaudio_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## pulsaudio connection template. ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`pulseaudio_stream_connect',` ++ gen_require(` ++ type pulseaudio_t; ++ ') ++ ++ allow nsplugin_t pulseaudio_t:process signull; ++ allow $1 pulseaudio_t:unix_stream_socket connectto; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.6.10/policy/modules/apps/pulseaudio.te 2009-04-03 17:03:52.000000000 -0400 +@@ -0,0 +1,109 @@ +policy_module(pulseaudio,1.0.0) + +######################################## @@ -3513,9 +3568,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow pulseaudio_t self:fifo_file rw_file_perms; +allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; +allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; ++allow pulseaudio_t self:tcp_socket create_stream_socket_perms; ++allow pulseaudio_t self:udp_socket create_socket_perms; + +corecmd_exec_bin(pulseaudio_t) + ++corenet_all_recvfrom_unlabeled(pulseaudio_t) ++corenet_all_recvfrom_netlabel(pulseaudio_t) ++corenet_tcp_bind_pulseaudio_port(pulseaudio_t) ++corenet_tcp_bind_sound_port(pulseaudio_t) ++corenet_tcp_sendrecv_generic_if(pulseaudio_t) ++corenet_tcp_sendrecv_generic_node(pulseaudio_t) ++corenet_udp_bind_sap_port(pulseaudio_t) ++corenet_udp_sendrecv_generic_if(pulseaudio_t) ++corenet_udp_sendrecv_generic_node(pulseaudio_t) ++ +dev_read_sound(pulseaudio_t) +dev_write_sound(pulseaudio_t) +dev_read_sysfs(pulseaudio_t) @@ -4511,7 +4578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/kernel/corenetwork.te.in 2009-04-03 17:02:58.000000000 -0400 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -4599,8 +4666,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -162,9 +183,11 @@ +@@ -160,11 +181,14 @@ + network_port(rsh, tcp,514,s0) + network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) ++network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) @@ -4612,7 +4682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -173,14 +196,17 @@ +@@ -173,14 +197,17 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -4632,7 +4702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -209,6 +235,8 @@ +@@ -209,6 +236,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -8946,7 +9016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.10/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.10/policy/modules/services/consolekit.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/consolekit.if 2009-04-03 16:41:51.000000000 -0400 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -10806,8 +10876,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.10/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/devicekit.if 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,177 @@ ++++ serefpolicy-3.6.10/policy/modules/services/devicekit.if 2009-04-03 16:46:10.000000000 -0400 +@@ -0,0 +1,197 @@ + +## policy for devicekit + @@ -10985,6 +11055,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 devicekit_t:unix_dgram_socket sendto; +') + ++######################################## ++## ++## Send and receive messages from ++## devicekit disk over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_disk_dbus_chat',` ++ gen_require(` ++ type devicekit_disk_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 devicekit_disk_t:dbus send_msg; ++ allow devicekit_disk_t $1:dbus send_msg; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400 @@ -21580,7 +21670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-04-03 16:51:32.000000000 -0400 @@ -8,20 +8,18 @@ ## @@ -21667,7 +21757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +virtual_manage_image(virtd_t) -+virtual_manage_relabel(virtd_t) ++virtual_image_relabel(virtd_t) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) @@ -21769,15 +21859,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + lvm_domtrans(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + polkit_domtrans_auth(virtd_t) + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -21786,7 +21876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +264,74 @@ +@@ -198,5 +264,73 @@ ') optional_policy(` @@ -21807,7 +21897,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# svirt local policy +# -+ +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) @@ -27671,7 +27760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 10:26:58.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 16:55:31.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -28100,7 +28189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +517,198 @@ +@@ -512,189 +517,199 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -28270,6 +28359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - hal_dbus_chat($1_t) + devicekit_power_dbus_chat($1_usertype) ++ devicekit_disk_dbus_chat($1_usertype) ') optional_policy(` @@ -28380,7 +28470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,13 +736,26 @@ +@@ -722,13 +737,26 @@ userdom_base_user_template($1) @@ -28412,7 +28502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -746,70 +773,71 @@ +@@ -746,70 +774,71 @@ allow $1_t self:context contains; @@ -28517,7 +28607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +874,28 @@ +@@ -846,6 +875,28 @@ # Local policy # @@ -28546,7 +28636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +926,7 @@ +@@ -876,7 +927,7 @@ userdom_restricted_user_template($1) @@ -28555,7 +28645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +934,19 @@ +@@ -884,14 +935,19 @@ # auth_role($1_r, $1_t) @@ -28580,7 +28670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +954,33 @@ +@@ -899,28 +955,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -28621,7 +28711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1014,8 @@ +@@ -954,8 +1015,8 @@ # Declarations # @@ -28631,7 +28721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1024,12 @@ +@@ -964,11 +1025,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -28646,7 +28736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1047,47 @@ +@@ -986,37 +1048,47 @@ ') ') @@ -28708,7 +28798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1121,7 @@ +@@ -1050,7 +1122,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -28717,7 +28807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1130,7 @@ +@@ -1059,8 +1131,7 @@ # # Inherit rules for ordinary users. @@ -28727,7 +28817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1153,8 @@ +@@ -1083,7 +1154,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -28737,7 +28827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1170,7 @@ +@@ -1099,6 +1171,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -28745,7 +28835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1178,6 @@ +@@ -1106,8 +1179,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -28754,7 +28844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1232,6 @@ +@@ -1162,20 +1233,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -28775,7 +28865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1277,7 @@ +@@ -1221,6 +1278,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -28783,7 +28873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1343,15 @@ +@@ -1286,11 +1344,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -28799,7 +28889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1448,7 @@ +@@ -1387,7 +1449,7 @@ ######################################## ## @@ -28808,7 +28898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1481,14 @@ +@@ -1420,6 +1482,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -28823,7 +28913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1504,11 @@ +@@ -1435,9 +1505,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -28835,7 +28925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1565,25 @@ +@@ -1494,6 +1566,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -28861,7 +28951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1658,8 @@ +@@ -1568,6 +1659,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -28870,7 +28960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1735,7 @@ +@@ -1643,6 +1736,7 @@ type user_home_dir_t, user_home_t; ') @@ -28878,26 +28968,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1834,62 @@ +@@ -1741,30 +1835,79 @@ ######################################## ## +-## Execute user home files. +## Delete user home subdirectory symbolic links. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`userdom_exec_user_home_content_files',` +interface(`userdom_delete_user_home_content_symlinks',` -+ gen_require(` + gen_require(` +- type user_home_dir_t, user_home_t; + type user_home_t; -+ ') -+ + ') + +- files_search_home($1) +- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_t:lnk_file delete_lnk_file_perms; +') -+ + +- tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1) +######################################## +## +## Delete files @@ -28912,8 +29010,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`userdom_delete_user_home_content_files',` + gen_require(` + type user_home_t; -+ ') -+ + ') + +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + allow $1 user_home_t:dir delete_file_perms; +') + @@ -28938,25 +29038,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## - ## Execute user home files. - ## - ## -@@ -1757,14 +1906,6 @@ - - files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- -- tunable_policy(`use_nfs_home_dirs',` -- fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') ++## Execute user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_exec_user_home_content_files',` ++ gen_require(` ++ type user_home_dir_t; ++ attribute user_home_type; + ') ++ ++ files_search_home($1) ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ') ######################################## -@@ -1787,6 +1928,46 @@ +@@ -1787,6 +1930,46 @@ ######################################## ## @@ -29003,7 +29105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1980,7 @@ +@@ -1799,6 +1982,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -29011,7 +29113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2510,7 @@ +@@ -2328,7 +2512,7 @@ ######################################## ## @@ -29020,7 +29122,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,7 +2996,25 @@ +@@ -2814,7 +2998,25 @@ type user_tmp_t; ') @@ -29047,7 +29149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3051,7 @@ +@@ -2851,6 +3053,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -29055,7 +29157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3182,482 @@ +@@ -2981,3 +3184,482 @@ allow $1 userdomain:dbus send_msg; ') @@ -29631,8 +29733,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,113 @@ ++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-04-03 16:50:58.000000000 -0400 +@@ -0,0 +1,114 @@ +## Virtual machine emulator and virtualizer + +######################################## @@ -29720,12 +29822,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`virtual_manage_relabel',` ++interface(`virtual_image_relabel',` + gen_require(` + attribute virtual_image_type; + ') + + allow $1 virtual_image_type:file { relabelfrom relabelto }; ++ allow $1 virtual_image_type:blk_file { relabelfrom relabelto }; +') + +########################################