- Allow svirt images to create sock_file in svirt_var_run_t

2009-08-05 19:37:52 +00:00 · 2009-08-05 19:37:52 +00:00 · f3b436ca6a
parent 4673269d66
commit f3b436ca6a
1 changed files with 173 additions and 115 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -1008,7 +1008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		java_domtrans_unconfined(rpm_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.26/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/admin/sudo.if	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/admin/sudo.if	2009-08-05 07:57:19.000000000 -0400
@@ -66,8 +66,8 @@
 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_sudo_t self:unix_dgram_socket sendto;
@ -1041,6 +1041,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_sudo_t)
@@ -147,6 +149,11 @@
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
 	')
 +
 +	optional_policy(`
 +		fprintd_dbus_chat($1_sudo_t)
 +	')	  
 +
 ')
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2009-07-28 13:28:33.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/admin/tmpreaper.te	2009-07-30 15:33:08.000000000 -0400
@ -2575,8 +2587,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.26/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/apps/nsplugin.te	2009-08-05 07:20:45.000000000 -0400
-@@ -0,0 +1,287 @@
+@@ -0,0 +1,285 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@ -2769,12 +2781,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        xserver_common_app(nsplugin_t)
 +	xserver_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
 +	xserver_read_xdm_pid(nsplugin_t)
 +	xserver_read_user_xauth(nsplugin_t)
 +	xserver_read_user_iceauth(nsplugin_t)
 +	xserver_use_user_fonts(nsplugin_t)
 +	xserver_manage_home_fonts(nsplugin_t)
 +	xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
 +')
 +
 +########################################
@ -3948,8 +3958,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.26/policy/modules/apps/screen.if
 --- nsaserefpolicy/policy/modules/apps/screen.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/apps/screen.if	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/apps/screen.if	2009-08-05 07:38:57.000000000 -0400
-@@ -157,3 +157,24 @@
+@@ -61,6 +61,8 @@
 	manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
 	manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
 	filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
 +	dontaudit $3 $1_var_run_t:fifo_file read;
 +
 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
 	allow $1_screen_t screen_home_t:dir list_dir_perms;
@@ -91,6 +93,7 @@
 	# Revert to the user domain when a shell is executed.
 	corecmd_shell_domtrans($1_screen_t, $3)
 	corecmd_bin_domtrans($1_screen_t, $3)
 +	allow $3 $1_screen_t:process sigchld;
 	corenet_all_recvfrom_unlabeled($1_screen_t)
 	corenet_all_recvfrom_netlabel($1_screen_t)
@@ -157,3 +160,24 @@
 		nscd_socket_use($1_screen_t)
 	')
 ')
@ -4561,7 +4588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if	2009-08-03 08:04:07.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if	2009-08-05 08:03:44.000000000 -0400
@@ -44,34 +44,6 @@
 interface(`domain_type',`
 	# start with basic domain
@ -4744,7 +4771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.26/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/domain.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/kernel/domain.te	2009-08-05 07:21:34.000000000 -0400
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -4802,7 +4829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
-+	xserver_dontaudit_rw_xdm_home_files(domain)
+	xserver_dontaudit_append_xdm_home_files(domain)
 ')
 ########################################
@ -5643,31 +5670,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.26/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/roles/staff.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/roles/staff.te	2009-08-05 07:37:10.000000000 -0400
-@@ -15,156 +15,105 @@
+@@ -15,156 +15,110 @@
 # Local policy
 #
 -optional_policy(`
 -	apache_role(staff_r, staff_t)
 -')
-+kernel_read_ring_buffer(staff_t)
+-
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 -optional_policy(`
 -	auth_role(staff_r, staff_t)
 -')
-+auth_domtrans_pam_console(staff_t)
+-
 -optional_policy(`
 -	auditadm_role_change(staff_r)
 -')
-+seutil_run_newrole(staff_t, staff_r)
+-
-+netutils_run_ping(staff_t, staff_r)
+-optional_policy(`
 optional_policy(`
 -	bluetooth_role(staff_r, staff_t)
 -')
 -
@ -5682,7 +5702,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	dbus_role_template(staff, staff_r, staff_t)
 -')
-
+kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
 -optional_policy(`
 -	ethereal_role(staff_r, staff_t)
 -')
@ -5694,113 +5718,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	games_role(staff_r, staff_t)
 -')
-
+auth_domtrans_pam_console(staff_t)
 -optional_policy(`
 -	gift_role(staff_r, staff_t)
 -')
-
+seutil_run_newrole(staff_t, staff_r)
-optional_policy(`
+netutils_run_ping(staff_t, staff_r)
 optional_policy(`
 -	gnome_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	gpg_role(staff_r, staff_t)
 +	sudo_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
-	irc_role(staff_r, staff_t)
+-	gpg_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
 ')
 optional_policy(`
-	java_role(staff_r, staff_t)
+-	irc_role(staff_r, staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
 ')
 optional_policy(`
-	lockdev_role(staff_r, staff_t)
+-	java_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
 ')
 optional_policy(`
-	lpd_role(staff_r, staff_t)
+-	lockdev_role(staff_r, staff_t)
 +	postgresql_role(staff_r, staff_t)
 ')
 optional_policy(`
-	mozilla_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 +	rtkit_daemon_system_domain(staff_t)
 ')
 optional_policy(`
-	mplayer_role(staff_r, staff_t)
+-	mozilla_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
 ')
 optional_policy(`
-	mta_role(staff_r, staff_t)
+-	mplayer_role(staff_r, staff_t)
 +	ssh_role_template(staff, staff_r, staff_t)
 ')
 optional_policy(`
 -	mta_role(staff_r, staff_t)
 +	sysadm_role_change(staff_r)
 ')
 optional_policy(`
 -	oident_manage_user_content(staff_t)
 -	oident_relabel_user_content(staff_t)
 +	sysadm_role_change(staff_r)
 ')
 optional_policy(`
 -	pyzor_role(staff_r, staff_t)
 +	usernetctl_run(staff_t, staff_r)
 ')
 optional_policy(`
-	razor_role(staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
 ')
 optional_policy(`
-	rssh_role(staff_r, staff_t)
+-	razor_role(staff_r, staff_t)
 +	webadm_role_change(staff_r)
 ')
 -optional_policy(`
-	screen_role_template(staff, staff_r, staff_t)
+-	rssh_role(staff_r, staff_t)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
 -optional_policy(`
-	secadm_role_change(staff_r)
+-	screen_role_template(staff, staff_r, staff_t)
 -')
 +files_read_kernel_modules(staff_t)
 -optional_policy(`
-	spamassassin_role(staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +kernel_read_fs_sysctls(staff_t)
 -optional_policy(`
-	ssh_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
 -optional_policy(`
-	su_role_template(staff, staff_r, staff_t)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +miscfiles_read_hwdata(staff_t)
 -optional_policy(`
-	sudo_role_template(staff, staff_r, staff_t)
+-	su_role_template(staff, staff_r, staff_t)
 -')
 +term_use_unallocated_ttys(staff_t)
 optional_policy(`
 -	sudo_role_template(staff, staff_r, staff_t)
 +	gnomeclock_dbus_chat(staff_t)
 ')
 optional_policy(`
 -	sysadm_role_change(staff_r)
 -	userdom_dontaudit_use_user_terminals(staff_t)
-+	gnomeclock_dbus_chat(staff_t)
+	lpd_list_spool(staff_t
 ')
 optional_policy(`
@ -5820,6 +5848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 -	userhelper_role_template(staff, staff_r, staff_t)
 +	screen_role_template(staff, staff_r, staff_t)
 +	screen_manage_var_run(staff_t)
 ')
@ -9828,7 +9857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.26/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/dbus.if	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/dbus.if	2009-08-05 07:49:49.000000000 -0400
@@ -42,8 +42,10 @@
 	gen_require(`
 		class dbus { send_msg acquire_svc };
@ -9867,7 +9896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_read_user_home_content_files($1_dbusd_t)
 	ifdef(`hide_broken_symptoms', `
-@@ -153,6 +157,10 @@
+@@ -153,12 +157,15 @@
 	')
 	optional_policy(`
@ -9878,7 +9907,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		hal_dbus_chat($1_dbusd_t)
 	')
-@@ -178,10 +186,12 @@
+ 	optional_policy(`
 -		xserver_use_xdm_fds($1_dbusd_t)
 -		xserver_rw_xdm_pipes($1_dbusd_t)
 +		xserver_use_xdm($1_dbusd_t)
 	')
 ')
@@ -178,10 +185,12 @@
 		type system_dbusd_t, system_dbusd_t;
 		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
 		class dbus send_msg;
@ -9892,7 +9928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 	files_search_var_lib($1)
-@@ -190,6 +200,10 @@
+@@ -190,6 +199,10 @@
 	files_search_pids($1)
 	stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
 	dbus_read_config($1)
@ -9903,7 +9939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 #######################################
-@@ -256,7 +270,7 @@
+@@ -256,7 +269,7 @@
 ########################################
 ## <summary>
@ -10959,8 +10995,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.26/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te	2009-07-30 15:33:08.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/modemmanager.te	2009-08-05 15:31:50.000000000 -0400
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,46 @@
 +policy_module(ModemManager,1.0.0)
 +
 +########################################
@ -10992,6 +11028,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +files_read_etc_files(ModemManager_t)
 +
 +term_use_unallocated_ttys(ModemManager_t)
 +
 +miscfiles_read_localization(ModemManager_t)
 +
 +logging_send_syslog_msg(ModemManager_t)
@ -11000,8 +11038,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	networkmanager_dbus_chat(ModemManager_t)
 +')
 +
-+permissive ModemManager_t;
+optional_policy(`
 +	udev_read_db(ModemManager_t)
 +')
 +
 +permissive ModemManager_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.26/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2009-07-29 15:15:33.000000000 -0400
 +++ serefpolicy-3.6.26/policy/modules/services/mta.fc	2009-07-30 15:33:09.000000000 -0400
@ -11536,7 +11577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.26/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/networkmanager.te	2009-08-05 08:04:33.000000000 -0400
@@ -19,6 +19,9 @@
 type NetworkManager_tmp_t;
 files_tmp_file(NetworkManager_tmp_t)
@ -11564,20 +11605,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -51,8 +55,10 @@
+@@ -51,8 +55,11 @@
 manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
 logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
 -rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 -files_search_tmp(NetworkManager_t)
 +manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
 +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
-+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
 +
 +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +69,8 @@
+@@ -63,6 +70,8 @@
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
@ -11586,7 +11628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +89,18 @@
+@@ -81,13 +90,18 @@
 corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
 corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
 corenet_sendrecv_all_client_packets(NetworkManager_t)
@ -11605,7 +11647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +111,20 @@
+@@ -98,15 +112,20 @@
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_confined_domains_state(NetworkManager_t)
@ -11627,7 +11669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_send_syslog_msg(NetworkManager_t)
 miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +134,40 @@
+@@ -116,25 +135,40 @@
 seutil_read_config(NetworkManager_t)
@ -11675,7 +11717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -146,8 +179,25 @@
+@@ -146,8 +180,25 @@
 ')
 optional_policy(`
@ -11703,7 +11745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -155,23 +205,51 @@
+@@ -155,23 +206,51 @@
 ')
 optional_policy(`
@ -11757,7 +11799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -179,12 +257,15 @@
+@@ -179,12 +258,15 @@
 ')
 optional_policy(`
@ -12592,7 +12634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.te	2009-08-03 06:50:17.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/policykit.te	2009-08-05 15:36:05.000000000 -0400
@@ -38,9 +38,10 @@
 allow policykit_t self:capability { setgid setuid };
@ -12650,7 +12692,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -104,6 +119,7 @@
+@@ -96,6 +111,7 @@
 files_read_usr_files(policykit_auth_t)
 auth_use_nsswitch(policykit_auth_t)
 +auth_domtrans_chk_passwd(policykit_auth_t)
 logging_send_syslog_msg(policykit_auth_t)
@@ -104,6 +120,7 @@
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 optional_policy(`
@ -12658,7 +12708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dbus_session_bus_client(policykit_auth_t)
 	optional_policy(`
-@@ -116,6 +132,13 @@
+@@ -116,6 +133,13 @@
 	hal_read_state(policykit_auth_t)
 ')
@ -12672,7 +12722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # polkit_grant local policy
-@@ -123,7 +146,8 @@
+@@ -123,7 +147,8 @@
 allow policykit_grant_t self:capability setuid;
 allow policykit_grant_t self:process getattr;
@ -12682,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -153,9 +177,12 @@
+@@ -153,9 +178,12 @@
 userdom_read_all_users_state(policykit_grant_t)
 optional_policy(`
@ -12696,7 +12746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		consolekit_dbus_chat(policykit_grant_t)
 	')
 ')
-@@ -167,7 +194,8 @@
+@@ -167,7 +195,8 @@
 allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
 allow policykit_resolve_t self:process getattr;
@ -14979,7 +15029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/setroubleshoot.te	2009-08-05 08:03:58.000000000 -0400
@@ -22,13 +22,19 @@
 type setroubleshoot_var_run_t;
 files_pid_file(setroubleshoot_var_run_t)
@ -15013,7 +15063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +77,25 @@
+@@ -68,16 +77,26 @@
 dev_read_urand(setroubleshootd_t)
 dev_read_sysfs(setroubleshootd_t)
@ -15021,6 +15071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_getattr_all_chr_files(setroubleshootd_t)
 domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 +domain_signull_all_domains(setroubleshootd_t)
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
@ -15040,7 +15091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 selinux_get_enforce_mode(setroubleshootd_t)
 selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +112,54 @@
+@@ -94,23 +113,54 @@
 locallogin_dontaudit_use_fds(setroubleshootd_t)
@ -16637,7 +16688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/virt.te	2009-08-04 05:06:14.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/virt.te	2009-08-05 15:13:13.000000000 -0400
@@ -20,6 +20,28 @@
 ## </desc>
 gen_tunable(virt_use_samba, false)
@ -16855,7 +16906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -195,8 +290,154 @@
+@@ -195,8 +290,155 @@
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
@ -16885,6 +16936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
 +manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
 +manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
 +manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
 +files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
 +stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
@ -17107,7 +17159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.if	2009-08-03 06:49:41.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/xserver.if	2009-08-05 07:48:30.000000000 -0400
@@ -90,7 +90,7 @@
 	allow $2 xauth_home_t:file manage_file_perms;
 	allow $2 xauth_home_t:file { relabelfrom relabelto };
@ -17418,7 +17470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
 ')
-@@ -1159,6 +1281,276 @@
+@@ -1159,6 +1281,278 @@
 ########################################
 ## <summary>
@ -17541,7 +17593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Dontaudit write to .xsession-errors file
+##	Dontaudit append to .xsession-errors file
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -17549,7 +17601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`xserver_dontaudit_rw_xdm_home_files',`
+interface(`xserver_dontaudit_append_xdm_home_files',`
 +	gen_require(`
 +		type xdm_home_t;
 +	')
@ -17574,6 +17626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	gen_require(`
 +		type xdm_t, xdm_tmp_t;
 +		type xdm_xproperty_t;
 +		type xdm_home_t;
 +		class x_client all_x_client_perms;
 +		class x_drawable all_x_drawable_perms;
 +		class x_property all_x_property_perms;
@ -17589,11 +17642,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_xdm_stream_connect($1)
 +	xserver_setattr_xdm_tmp_dirs($1)
 +	xserver_read_xdm_pid($1)
 +	xserver_search_xdm_lib($1)
 +
 +	allow $1 xdm_t:x_client { getattr destroy };
 +	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
 +	allow $1 xdm_xproperty_t:x_property { write read };
-+
+	allow $1 xdm_home_t:file append_file_perms;
 +')
 +
 +########################################
@ -17695,7 +17749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
-@@ -1172,7 +1564,103 @@
+@@ -1172,7 +1566,103 @@
 interface(`xserver_unconfined',`
 	gen_require(`
 		attribute xserver_unconfined_type;
@ -19251,7 +19305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-07-30 09:44:08.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/init.te	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/system/init.te	2009-08-05 07:18:15.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart, false)
@ -19641,7 +19695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +
 +optional_policy(`
-+	xserver_rw_xdm_home_files(daemon)
+	xserver_dontaudit_append_xdm_home_files(daemon)
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_dontaudit_rw_nfs_files(daemon)
 +	')
@ -22990,7 +23044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.26/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if	2009-07-30 15:33:09.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/system/userdomain.if	2009-08-05 07:54:48.000000000 -0400
@@ -30,8 +30,9 @@
 	')
@ -23900,7 +23954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -891,28 +953,43 @@
+@@ -891,28 +953,47 @@
 	selinux_get_enforce_mode($1_t)
 	optional_policy(`
@ -23916,6 +23970,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		devicekit_dbus_chat($1_usertype)
 +		devicekit_dbus_chat_disk($1_usertype)
 +		devicekit_dbus_chat_power($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		fprintd_dbus_chat($1_t)
 	')
 	optional_policy(`
@ -23951,7 +24009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
-@@ -946,8 +1023,8 @@
+@@ -946,8 +1027,8 @@
 	# Declarations
 	#
@ -23961,7 +24019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 	##############################
-@@ -956,11 +1033,12 @@
+@@ -956,11 +1037,12 @@
 	#
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -23976,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
-@@ -978,37 +1056,55 @@
+@@ -978,37 +1060,55 @@
 		')
 	')
@ -24046,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 #######################################
-@@ -1042,7 +1138,7 @@
+@@ -1042,7 +1142,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -24055,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	##############################
-@@ -1051,8 +1147,7 @@
+@@ -1051,8 +1151,7 @@
 	#
 	# Inherit rules for ordinary users.
@ -24065,7 +24123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1075,7 +1170,8 @@
+@@ -1075,7 +1174,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
@ -24075,7 +24133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1091,6 +1187,7 @@
+@@ -1091,6 +1191,7 @@
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -24083,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1098,8 +1195,6 @@
+@@ -1098,8 +1199,6 @@
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -24092,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1154,20 +1249,6 @@
+@@ -1154,20 +1253,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
@ -24113,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1213,6 +1294,7 @@
+@@ -1213,6 +1298,7 @@
 	dev_relabel_all_dev_nodes($1)
 	files_create_boot_flag($1)
@ -24121,7 +24179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1278,11 +1360,15 @@
+@@ -1278,11 +1364,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -24137,7 +24195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1374,12 +1460,13 @@
+@@ -1374,12 +1464,13 @@
 	')
 	allow $1 user_home_dir_t:dir search_dir_perms;
@ -24152,7 +24210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1412,6 +1499,14 @@
+@@ -1412,6 +1503,14 @@
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -24167,7 +24225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1427,9 +1522,11 @@
+@@ -1427,9 +1526,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -24179,7 +24237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1486,6 +1583,25 @@
+@@ -1486,6 +1587,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
@ -24205,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1560,6 +1676,8 @@
+@@ -1560,6 +1680,8 @@
 	')
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -24214,7 +24272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1653,6 +1771,7 @@
+@@ -1653,6 +1775,7 @@
 		type user_home_dir_t, user_home_t;
 	')
@ -24222,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1780,19 +1899,32 @@
+@@ -1780,19 +1903,32 @@
 #
 interface(`userdom_exec_user_home_content_files',`
 	gen_require(`
@ -24262,7 +24320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -1827,6 +1959,7 @@
+@@ -1827,6 +1963,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -24270,7 +24328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2374,7 +2507,7 @@
+@@ -2374,7 +2511,7 @@
 ########################################
 ## <summary>
@ -24279,7 +24337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2728,11 +2861,32 @@
+@@ -2728,11 +2865,32 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -24314,7 +24372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -2860,7 +3014,25 @@
+@@ -2860,7 +3018,25 @@
 		type user_tmp_t;
 	')
@ -24341,7 +24399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -2897,6 +3069,7 @@
+@@ -2897,6 +3073,7 @@
 	')
 	read_files_pattern($1, userdomain, userdomain)
@ -24349,7 +24407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
-@@ -3027,3 +3200,501 @@
+@@ -3027,3 +3204,501 @@
 	allow $1 userdomain:dbus send_msg;
 ')