Policy update should not modify local contexts

2011-10-21 09:42:14 -04:00 · 2011-10-21 09:42:14 -04:00 · e1f17eb990
commit e1f17eb990
parent 052e175084
2 changed files with 305 additions and 105 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
 ')
 diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..c94911d 100644
+index 1392679..e75873a 100644
 --- a/policy/modules/admin/alsa.if
 +++ b/policy/modules/admin/alsa.if
-@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
+@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
 	userdom_search_user_home_dirs($1)
 	allow $1 alsa_home_t:file manage_file_perms;
 +	alsa_filetrans_home_content(unpriv_userdomain)
 ')
 ########################################
@@ -206,3 +207,47 @@ interface(`alsa_read_lib',`
 	files_search_var_lib($1)
 	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
 ')
@ -340,13 +348,39 @@ index 1392679..c94911d 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`alsa_filetrans_named_content',`
+interface(`alsa_filetrans_home_content',`
 +	gen_require(`
 +		type alsa_home_t;
 +	')
 +
 +	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
 +')
 +
 +########################################
 +## <summary>
 +##	Transition to alsa named content
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##      Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`alsa_filetrans_named_content',`
 +	gen_require(`
 +		type alsa_home_t;
 +		type alsa_etc_rw_t;
 +		type alsa_var_lib_t;
 +	')
 +
 +	userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
 +	files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
 +	files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
 +	files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
 +	files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
 +	files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
 +	files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
 +')
 diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
 index e3e0701..3fd0282 100644
 --- a/policy/modules/admin/amanda.fc
@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..2aa37b4 100644
+index 975af1a..634c47a 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644
 		attribute sudodomain;
 	')
-@@ -47,6 +48,15 @@ template(`sudo_role_template',`
+@@ -47,26 +48,11 @@ template(`sudo_role_template',`
 	ubac_constrained($1_sudo_t)
 	role $2 types $1_sudo_t;
 -	##############################
 -	#
 -	# Local Policy
 -	#
 +	type $1_sudo_tmp_t;
 +	files_tmp_file($1_sudo_tmp_t)
-+
+ 
 -	# Use capabilities.
 -	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
 -	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 -	allow $1_sudo_t self:process { setexec setrlimit };
 -	allow $1_sudo_t self:fd use;
 -	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
 -	allow $1_sudo_t self:shm create_shm_perms;
 -	allow $1_sudo_t self:sem create_sem_perms;
 -	allow $1_sudo_t self:msgq create_msgq_perms;
 -	allow $1_sudo_t self:msg { send receive };
 -	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
 -	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 -	allow $1_sudo_t self:unix_dgram_socket sendto;
 -	allow $1_sudo_t self:unix_stream_socket connectto;
 -	allow $1_sudo_t self:key manage_key_perms;
 +	allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
 +	files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
-+
+ 
-+	manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ 	allow $1_sudo_t $3:key search;
-+	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ 
-+
+@@ -76,88 +62,19 @@ template(`sudo_role_template',`
 	##############################
 	#
 	# Local Policy
@@ -76,6 +86,11 @@ template(`sudo_role_template',`
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $3)
 	corecmd_bin_domtrans($1_sudo_t, $3)
@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644
 	allow $3 $1_sudo_t:fd use;
 	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
 	allow $3 $1_sudo_t:process signal_perms;
@@ -113,12 +128,15 @@ template(`sudo_role_template',`
 	term_getattr_pty_fs($1_sudo_t)
 	term_relabel_all_ttys($1_sudo_t)
 	term_relabel_all_ptys($1_sudo_t)
 +	term_getattr_pty_fs($1_sudo_t)
 -	kernel_read_kernel_sysctls($1_sudo_t)
 -	kernel_read_system_state($1_sudo_t)
 -	kernel_link_key($1_sudo_t)
 -
 -	corecmd_read_bin_symlinks($1_sudo_t)
 -	corecmd_exec_all_executables($1_sudo_t)
 -
 -	dev_getattr_fs($1_sudo_t)
 -	dev_read_urand($1_sudo_t)
 -	dev_rw_generic_usb_dev($1_sudo_t)
 -	dev_read_sysfs($1_sudo_t)
 -
 -	domain_use_interactive_fds($1_sudo_t)
 -	domain_sigchld_interactive_fds($1_sudo_t)
 -	domain_getattr_all_entry_files($1_sudo_t)
 -
 -	files_read_etc_files($1_sudo_t)
 -	files_read_var_files($1_sudo_t)
 -	files_read_usr_symlinks($1_sudo_t)
 -	files_getattr_usr_files($1_sudo_t)
 -	# for some PAM modules and for cwd
 -	files_dontaudit_search_home($1_sudo_t)
 -	files_list_tmp($1_sudo_t)
 -
 -	fs_search_auto_mountpoints($1_sudo_t)
 -	fs_getattr_xattr_fs($1_sudo_t)
 -
 -	selinux_validate_context($1_sudo_t)
 -	selinux_compute_relabel_context($1_sudo_t)
 -
 -	term_getattr_pty_fs($1_sudo_t)
 -	term_relabel_all_ttys($1_sudo_t)
 -	term_relabel_all_ptys($1_sudo_t)
 -
 	auth_run_chk_passwd($1_sudo_t, $2)
- 	# sudo stores a token in the pam_pid directory
+-	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
+-	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
-+	application_signal($1_sudo_t)
+-	init_rw_utmp($1_sudo_t)
-+
+-
- 	init_rw_utmp($1_sudo_t)
+-	logging_send_audit_msgs($1_sudo_t)
- 
+-	logging_send_syslog_msg($1_sudo_t)
- 	logging_send_audit_msgs($1_sudo_t)
+-
-@@ -126,7 +144,7 @@ template(`sudo_role_template',`
+-	miscfiles_read_localization($1_sudo_t)
- 
+-
 	miscfiles_read_localization($1_sudo_t)
 -	seutil_search_default_contexts($1_sudo_t)
-+	seutil_read_default_contexts($1_sudo_t)
+-	seutil_libselinux_linked($1_sudo_t)
- 	seutil_libselinux_linked($1_sudo_t)
+-
- 
+-	userdom_spec_domtrans_all_users($1_sudo_t)
- 	userdom_spec_domtrans_all_users($1_sudo_t)
+-	userdom_manage_user_home_content_files($1_sudo_t)
-@@ -135,12 +153,13 @@ template(`sudo_role_template',`
+-	userdom_manage_user_home_content_symlinks($1_sudo_t)
- 	userdom_manage_user_tmp_files($1_sudo_t)
+-	userdom_manage_user_tmp_files($1_sudo_t)
- 	userdom_manage_user_tmp_symlinks($1_sudo_t)
+-	userdom_manage_user_tmp_symlinks($1_sudo_t)
- 	userdom_use_user_terminals($1_sudo_t)
+-	userdom_use_user_terminals($1_sudo_t)
-+	userdom_signal_all_users($1_sudo_t)
+-	# for some PAM modules and for cwd
 	# for some PAM modules and for cwd
 -	userdom_dontaudit_search_user_home_content($1_sudo_t)
-+	userdom_search_user_home_content($1_sudo_t)
+-
 +	userdom_search_admin_dir($1_sudo_t)
 +	userdom_manage_all_users_keys($1_sudo_t)
 -	ifdef(`hide_broken_symptoms', `
 -		dontaudit $1_sudo_t $3:socket_class_set { read write };
 -	')
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_manage_nfs_files($1_sudo_t)
 -	')
 -
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_manage_cifs_files($1_sudo_t)
 -	')
 -
 -	optional_policy(`
 -		dbus_system_bus_client($1_sudo_t)
 -	')
 -
 -	optional_policy(`
 -		fprintd_dbus_chat($1_sudo_t)
 -	')
 -
 +	mta_role($2, $1_sudo_t)
 ')
- 	tunable_policy(`use_nfs_home_dirs',`
+ ########################################
- 		fs_manage_nfs_files($1_sudo_t)
+@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
 	allow $1 sudodomain:process sigchld;
 ')
@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..3443ba2 100644
+index 2731fa1..22beabf 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,7 @@ attribute sudodomain;
+@@ -7,3 +7,110 @@ attribute sudodomain;
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644
 +type sudo_db_t;
 +files_type(sudo_db_t)
 +
 +manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
 +manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
 +
 +##############################
 +#
 +# Local Policy
 +#
 +
 +# Use capabilities.
 +allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 +allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +allow sudodomain self:process { setexec setrlimit };
 +allow sudodomain self:fd use;
 +allow sudodomain self:fifo_file rw_fifo_file_perms;
 +allow sudodomain self:shm create_shm_perms;
 +allow sudodomain self:sem create_sem_perms;
 +allow sudodomain self:msgq create_msgq_perms;
 +allow sudodomain self:msg { send receive };
 +allow sudodomain self:unix_dgram_socket create_socket_perms;
 +allow sudodomain self:unix_stream_socket create_stream_socket_perms;
 +allow sudodomain self:unix_dgram_socket sendto;
 +allow sudodomain self:unix_stream_socket connectto;
 +allow sudodomain self:key manage_key_perms;
 +
 +kernel_read_kernel_sysctls(sudodomain)
 +kernel_read_system_state(sudodomain)
 +kernel_link_key(sudodomain)
 +
 +corecmd_read_bin_symlinks(sudodomain)
 +corecmd_exec_all_executables(sudodomain)
 +
 +dev_getattr_fs(sudodomain)
 +dev_read_urand(sudodomain)
 +dev_rw_generic_usb_dev(sudodomain)
 +dev_read_sysfs(sudodomain)
 +
 +domain_use_interactive_fds(sudodomain)
 +domain_sigchld_interactive_fds(sudodomain)
 +domain_getattr_all_entry_files(sudodomain)
 +
 +files_read_etc_files(sudodomain)
 +files_read_var_files(sudodomain)
 +files_read_usr_symlinks(sudodomain)
 +files_getattr_usr_files(sudodomain)
 +# for some PAM modules and for cwd
 +files_dontaudit_search_home(sudodomain)
 +files_list_tmp(sudodomain)
 +
 +fs_search_auto_mountpoints(sudodomain)
 +fs_getattr_xattr_fs(sudodomain)
 +
 +selinux_validate_context(sudodomain)
 +selinux_compute_relabel_context(sudodomain)
 +
 +term_getattr_pty_fs(sudodomain)
 +term_relabel_all_ttys(sudodomain)
 +term_relabel_all_ptys(sudodomain)
 +term_getattr_pty_fs(sudodomain)
 +
 +#auth_run_chk_passwd(sudodomain)
 +# sudo stores a token in the pam_pid directory
 +auth_manage_pam_pid(sudodomain)
 +#auth_use_nsswitch(sudodomain)
 +
 +application_signal(sudodomain)
 +
 +init_rw_utmp(sudodomain)
 +
 +logging_send_audit_msgs(sudodomain)
 +logging_send_syslog_msg(sudodomain)
 +
 +miscfiles_read_localization(sudodomain)
 +
 +seutil_read_default_contexts(sudodomain)
 +seutil_libselinux_linked(sudodomain)
 +
 +userdom_spec_domtrans_all_users(sudodomain)
 +userdom_manage_user_home_content_files(sudodomain)
 +userdom_manage_user_home_content_symlinks(sudodomain)
 +userdom_manage_user_tmp_files(sudodomain)
 +userdom_manage_user_tmp_symlinks(sudodomain)
 +userdom_use_user_terminals(sudodomain)
 +userdom_signal_all_users(sudodomain)
 +# for some PAM modules and for cwd
 +userdom_search_user_home_content(sudodomain)
 +userdom_search_admin_dir(sudodomain)
 +userdom_manage_all_users_keys(sudodomain)
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_manage_nfs_files(sudodomain)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_files(sudodomain)
 +')
 +
 +optional_policy(`
 +	dbus_system_bus_client(sudodomain)
 +')
 +
 +optional_policy(`
 +	fprintd_dbus_chat(sudodomain)
 +')
 diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
 index d5aaf0e..6b16aef 100644
 --- a/policy/modules/admin/sxid.te
@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644
 ## </summary>
 ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..772a68e 100644
+index 441cf22..cd9d876 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644
 selinux_get_fs_mount(chfn_t)
 selinux_validate_context(chfn_t)
-@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
+@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
 selinux_compute_relabel_context(chfn_t)
 selinux_compute_user_contexts(chfn_t)
@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644
 -term_use_all_ptys(chfn_t)
 +term_use_all_inherited_ttys(chfn_t)
 +term_use_all_inherited_ptys(chfn_t)
 +term_getattr_all_ptys(chfn_t)
 fs_getattr_xattr_fs(chfn_t)
 fs_search_auto_mountpoints(chfn_t)
@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
-@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(chfn_t)
@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644
 miscfiles_read_localization(chfn_t)
-@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
 # on user home dir
 userdom_dontaudit_search_user_home_content(chfn_t)
@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644
 ########################################
 #
 # Crack local policy
-@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
 selinux_compute_relabel_context(groupadd_t)
 selinux_compute_user_contexts(groupadd_t)
 -term_use_all_ttys(groupadd_t)
 -term_use_all_ptys(groupadd_t)
 +term_use_all_inherited_terms(groupadd_t)
 +term_getattr_all_ptys(groupadd_t)
 init_use_fds(groupadd_t)
 init_read_utmp(groupadd_t)
-@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
 # for SSP
 dev_read_urand(passwd_t)
@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644
 fs_getattr_xattr_fs(passwd_t)
 fs_search_auto_mountpoints(passwd_t)
-@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 -term_use_all_ttys(passwd_t)
 -term_use_all_ptys(passwd_t)
 +term_use_all_inherited_terms(passwd_t)
 +term_getattr_all_ptys(passwd_t)
 -auth_domtrans_chk_passwd(passwd_t)
 auth_manage_shadow(passwd_t)
@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644
 domain_use_interactive_fds(passwd_t)
-@@ -311,6 +317,8 @@ files_search_var(passwd_t)
+@@ -311,6 +320,8 @@ files_search_var(passwd_t)
 files_dontaudit_search_pids(passwd_t)
 files_relabel_etc_files(passwd_t)
@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
 seutil_dontaudit_search_config(passwd_t)
@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644
 userdom_use_unpriv_users_fds(passwd_t)
 # make sure that getcon succeeds
 userdom_getattr_all_users(passwd_t)
-@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644
 optional_policy(`
 	nscd_domtrans(passwd_t)
-@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
 fs_getattr_xattr_fs(sysadm_passwd_t)
 fs_search_auto_mountpoints(sysadm_passwd_t)
 -term_use_all_ttys(sysadm_passwd_t)
 -term_use_all_ptys(sysadm_passwd_t)
 +term_use_all_inherited_terms(sysadm_passwd_t)
 +term_getattr_all_ptys(sysadm_passwd_t)
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +434,7 @@ optional_policy(`
+@@ -426,7 +438,7 @@ optional_policy(`
 # Useradd local policy
 #
@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
-@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644
 files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
-@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
 fs_getattr_xattr_fs(useradd_t)
 mls_file_upgrade(useradd_t)
@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644
 # Allow access to context for shadow file
 selinux_get_fs_mount(useradd_t)
-@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
 selinux_compute_relabel_context(useradd_t)
 selinux_compute_user_contexts(useradd_t)
 -term_use_all_ttys(useradd_t)
 -term_use_all_ptys(useradd_t)
 +term_use_all_inherited_terms(useradd_t)
 +term_getattr_all_ptys(useradd_t)
 auth_domtrans_chk_passwd(useradd_t)
 auth_rw_lastlog(useradd_t)
-@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
 userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..f3980e0 100644
+index e14b961..f2aac71 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
 #
 # Local policy
 #
@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644
 +userdom_manage_tmp_role(sysadm_r, sysadm_t)
 +
 +optional_policy(`
 +	alsa_filetrans_named_content(sysadm_t)
 +')
 +
 +optional_policy(`
 +	ssh_filetrans_admin_home_content(sysadm_t)
 +')
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
-@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
 	logging_manage_audit_log(sysadm_t)
 	logging_manage_audit_config(sysadm_t)
 	logging_run_auditctl(sysadm_t, sysadm_r)
@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644
 ')
 tunable_policy(`allow_ptrace',`
-@@ -67,9 +96,9 @@ optional_policy(`
+@@ -67,9 +100,9 @@ optional_policy(`
 optional_policy(`
 	apache_run_helper(sysadm_t, sysadm_r)
@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -98,6 +127,10 @@ optional_policy(`
+@@ -98,6 +131,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644
 	certwatch_run(sysadm_t, sysadm_r)
 ')
-@@ -110,11 +143,19 @@ optional_policy(`
+@@ -110,11 +147,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -128,6 +169,10 @@ optional_policy(`
+@@ -128,6 +173,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644
 	dmesg_exec(sysadm_t)
 ')
-@@ -163,6 +208,13 @@ optional_policy(`
+@@ -163,6 +212,13 @@ optional_policy(`
 	ipsec_stream_connect(sysadm_t)
 	# for lsof
 	ipsec_getattr_key_sockets(sysadm_t)
@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -170,15 +222,20 @@ optional_policy(`
+@@ -170,15 +226,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -198,22 +255,19 @@ optional_policy(`
+@@ -198,22 +259,19 @@ optional_policy(`
 	modutils_run_depmod(sysadm_t, sysadm_r)
 	modutils_run_insmod(sysadm_t, sysadm_r)
 	modutils_run_update_mods(sysadm_t, sysadm_r)
@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -225,25 +279,47 @@ optional_policy(`
+@@ -225,25 +283,47 @@ optional_policy(`
 ')
 optional_policy(`
@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644
 	portage_run(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
-@@ -253,19 +329,19 @@ optional_policy(`
+@@ -253,19 +333,19 @@ optional_policy(`
 ')
 optional_policy(`
@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -274,10 +350,7 @@ optional_policy(`
+@@ -274,10 +354,7 @@ optional_policy(`
 optional_policy(`
 	rpm_run(sysadm_t, sysadm_r)
@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -302,12 +375,18 @@ optional_policy(`
+@@ -302,12 +379,18 @@ optional_policy(`
 ')
 optional_policy(`
@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -332,7 +411,10 @@ optional_policy(`
+@@ -332,7 +415,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -343,19 +425,15 @@ optional_policy(`
+@@ -343,19 +429,15 @@ optional_policy(`
 ')
 optional_policy(`
@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644
 ')
 optional_policy(`
-@@ -367,45 +445,45 @@ optional_policy(`
+@@ -367,45 +449,45 @@ optional_policy(`
 ')
 optional_policy(`
@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
-@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 	')
-@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
 	optional_policy(`
 		gnome_role(sysadm_r, sysadm_t)
@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644
 	')
 	optional_policy(`
-@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644
 +
 +	optional_policy(`
 +		mplayer_role(sysadm_r, sysadm_t)
-+	')
+ 	')
-+
+-')
 +	optional_policy(`
 +		pyzor_role(sysadm_r, sysadm_t)
 +	')
@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644
 +
 +	optional_policy(`
 +		wireshark_role(sysadm_r, sysadm_t)
- 	')
+	')
-')
+
 +	optional_policy(`
 +		xserver_role(sysadm_r, sysadm_t)
 +	')
@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..8d7dde1
+index 0000000..50c38f9
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,498 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -22159,11 +22360,7 @@ index 0000000..8d7dde1
 +')
 +
 +optional_policy(`
-+	ada_run(unconfined_t, unconfined_r)
+	alsa_filetrans_named_content(unconfined_t)
 +')
 +
 +optional_policy(`
 +	alsa_run(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
@ -73110,10 +73307,10 @@ index 0000000..79c358c
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1449552
+index 0000000..a84b8e7
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,370 @@
+@@ -0,0 +1,371 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -73267,6 +73464,7 @@ index 0000000..1449552
 +
 +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
 +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
 +
@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644
 +   allow $1 unpriv_userdomain:sem rw_sem_perms;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..04d748b 100644
+index 9b4a930..d6c3860 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
-@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
 type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
 typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644
 +	alsa_read_rw_config(unpriv_userdomain)
 +	alsa_manage_home_files(unpriv_userdomain)
 +	alsa_relabel_home_files(unpriv_userdomain)
 +	alsa_filetrans_named_content(unpriv_userdomain)
 +')
 +
 +optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 45.1%{?dist}
+Release: 46%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -176,8 +176,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
 %dir %{_sysconfdir}/selinux/%1/contexts/files \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
@ -481,6 +481,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Oct 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-46
 - Policy update should not modify local contexts
 * Thu Oct 20 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-45.1
 - Remove ada policy