From 1bc89b8d4c9aaa9689706432171428ae8c1be1f0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 29 2008 20:45:55 +0000 Subject: - Fix confined users - Allow xguest to read/write xguest_dbusd_t --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 57d5430..684ed37 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -30167,7 +30167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 11:53:44.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 16:35:07.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -30788,7 +30788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # User domain Local policy -@@ -699,188 +668,204 @@ +@@ -699,188 +668,199 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -30847,11 +30847,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + -+ tunable_policy(`user_rw_noexattrfile',` -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) -+ ') -+ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -31073,7 +31068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -902,9 +887,7 @@ +@@ -902,9 +882,7 @@ ## # template(`userdom_login_user_template', ` @@ -31084,7 +31079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_base_user_template($1) -@@ -930,74 +913,77 @@ +@@ -930,74 +908,77 @@ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; @@ -31195,7 +31190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1031,9 +1017,6 @@ +@@ -1031,9 +1012,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -31205,7 +31200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1042,12 +1025,25 @@ +@@ -1042,12 +1020,32 @@ # # privileged home directory writers @@ -31222,6 +31217,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_fifo_files_pattern(privhome, { user_home_dir_t user_home_t }, user_home_t) + filetrans_pattern(privhome, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) + ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ fs_manage_dos_dirs($1_usertype) ++ fs_manage_dos_files($1_usertype) ++ ') ++ + optional_policy(` + dbus_per_role_template($1, $1_usertype, $1_r) + dbus_system_bus_client_template($1, $1_usertype) @@ -31237,7 +31239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) -@@ -1079,7 +1075,9 @@ +@@ -1079,7 +1077,9 @@ userdom_restricted_user_template($1) @@ -31247,7 +31249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -1087,14 +1085,16 @@ +@@ -1087,14 +1087,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -31269,7 +31271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1102,28 +1102,19 @@ +@@ -1102,28 +1104,19 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -31302,7 +31304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1134,8 +1125,7 @@ +@@ -1134,8 +1127,7 @@ ## ## ##

@@ -31312,7 +31314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -1157,8 +1147,8 @@ +@@ -1157,8 +1149,8 @@ # Declarations # @@ -31322,7 +31324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -1167,11 +1157,10 @@ +@@ -1167,11 +1159,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -31335,7 +31337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1178,41 @@ +@@ -1189,36 +1180,41 @@ ') ') @@ -31390,7 +31392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1263,8 +1257,7 @@ +@@ -1263,8 +1259,7 @@ # # Inherit rules for ordinary users. @@ -31400,7 +31402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_t privhome; domain_obj_id_change_exemption($1_t) -@@ -1295,8 +1288,6 @@ +@@ -1295,8 +1290,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -31409,7 +31411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1309,6 @@ +@@ -1318,8 +1311,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -31418,7 +31420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1363,6 @@ +@@ -1374,13 +1365,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31432,7 +31434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1414,7 @@ +@@ -1432,6 +1416,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31440,7 +31442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1444,6 @@ +@@ -1461,10 +1446,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -31451,7 +31453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1463,14 @@ +@@ -1484,6 +1465,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -31466,7 +31468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1728,15 @@ +@@ -1741,11 +1730,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -31485,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1832,11 @@ +@@ -1841,11 +1834,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -31499,7 +31501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1866,11 @@ +@@ -1875,11 +1868,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -31513,7 +31515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1914,12 @@ +@@ -1923,12 +1916,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -31529,7 +31531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1949,11 @@ +@@ -1958,10 +1951,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -31543,7 +31545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1985,47 @@ +@@ -1993,11 +1987,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -31593,7 +31595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2057,10 @@ +@@ -2029,10 +2059,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -31606,7 +31608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2090,11 @@ +@@ -2062,11 +2092,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -31620,7 +31622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2124,11 @@ +@@ -2096,11 +2126,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -31635,7 +31637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2158,14 @@ +@@ -2130,10 +2160,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -31652,7 +31654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2195,11 @@ +@@ -2163,11 +2197,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -31666,7 +31668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2229,11 @@ +@@ -2197,11 +2231,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -31680,7 +31682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2263,10 @@ +@@ -2231,10 +2265,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -31693,7 +31695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2298,12 @@ +@@ -2266,12 +2300,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -31709,7 +31711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2335,10 @@ +@@ -2303,10 +2337,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -31722,7 +31724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2370,12 @@ +@@ -2338,12 +2372,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -31738,7 +31740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2407,12 @@ +@@ -2375,12 +2409,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -31754,7 +31756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2444,12 @@ +@@ -2412,12 +2446,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -31770,7 +31772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2494,11 @@ +@@ -2462,11 +2496,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -31784,7 +31786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2543,11 @@ +@@ -2511,11 +2545,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -31798,7 +31800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2587,11 @@ +@@ -2555,11 +2589,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -31812,7 +31814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2621,11 @@ +@@ -2589,11 +2623,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -31826,7 +31828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2655,11 @@ +@@ -2623,11 +2657,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -31840,7 +31842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2691,10 @@ +@@ -2659,10 +2693,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -31853,7 +31855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2726,10 @@ +@@ -2694,10 +2728,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -31866,7 +31868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2759,12 @@ +@@ -2727,12 +2761,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -31882,7 +31884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2796,10 @@ +@@ -2764,10 +2798,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -31895,7 +31897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2831,10 @@ +@@ -2799,10 +2833,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -31908,7 +31910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2864,12 @@ +@@ -2832,12 +2866,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -31924,7 +31926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2901,10 @@ +@@ -2869,10 +2903,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -31937,7 +31939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2936,12 @@ +@@ -2904,12 +2938,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -31953,7 +31955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2973,11 @@ +@@ -2941,11 +2975,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -31967,7 +31969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3009,11 @@ +@@ -2977,11 +3011,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -31981,7 +31983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3045,11 @@ +@@ -3013,11 +3047,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -31995,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3081,11 @@ +@@ -3049,11 +3083,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -32009,7 +32011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3117,11 @@ +@@ -3085,11 +3119,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -32023,7 +32025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3166,10 @@ +@@ -3134,10 +3168,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -32036,7 +32038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3210,19 @@ +@@ -3178,19 +3212,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -32060,7 +32062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -3211,13 +3243,13 @@ +@@ -3211,13 +3245,13 @@ # template(`userdom_rw_user_tmpfs_files',` gen_require(` @@ -32078,7 +32080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4616,11 +4648,11 @@ +@@ -4616,11 +4650,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -32092,7 +32094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4672,14 @@ +@@ -4640,6 +4674,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -32107,7 +32109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4717,8 @@ +@@ -4677,6 +4719,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -32116,7 +32118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4763,25 @@ +@@ -4721,6 +4765,25 @@ ######################################## ##

@@ -32142,7 +32144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5007,7 @@ +@@ -4946,7 +5009,7 @@ ######################################## ## @@ -32151,7 +32153,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,7 +5379,7 @@ +@@ -5318,7 +5381,7 @@ ######################################## ## @@ -32160,7 +32162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5326,18 +5387,17 @@ +@@ -5326,18 +5389,17 @@ ## ## # @@ -32183,7 +32185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5345,17 +5405,17 @@ +@@ -5345,17 +5407,17 @@ ## ## # @@ -32205,7 +32207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5363,18 +5423,18 @@ +@@ -5363,18 +5425,18 @@ ## ## # @@ -32229,13 +32231,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5382,7 +5442,44 @@ +@@ -5382,9 +5444,46 @@ ## ## # -interface(`userdom_getattr_all_users',` +interface(`userdom_dontaudit_use_unpriv_users_ttys',` -+ gen_require(` + gen_require(` +- attribute userdomain; + attribute user_ttynode; + ') + @@ -32272,10 +32275,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +# +interface(`userdom_getattr_all_users',` - gen_require(` - attribute userdomain; ++ gen_require(` ++ attribute userdomain; ') -@@ -5483,6 +5580,42 @@ + + allow $1 userdomain:process getattr; +@@ -5483,6 +5582,42 @@ ######################################## ## @@ -32318,7 +32323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5646,546 @@ +@@ -5513,3 +5648,546 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a89de51..a77565b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,7 +457,7 @@ exit 0 %endif %changelog -* Wed Oct 29 2008 Dan Walsh 3.5.13-10 +* Wed Oct 29 2008 Dan Walsh 3.5.13-11 - Fix confined users - Allow xguest to read/write xguest_dbusd_t