From e3bfb241a71beab797987c03622a5806f845e5a5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 08 2009 17:12:20 +0000 Subject: - Add policy for /var/lib/fprint --- diff --git a/policy-20090105.patch b/policy-20090105.patch index f748951..80e0831 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -799,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-30 14:18:18.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-05-08 11:49:07.000000000 -0400 @@ -11,8 +11,8 @@ init_daemon_domain(readahead_t, readahead_exec_t) application_domain(readahead_t, readahead_exec_t) @@ -811,11 +811,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type readahead_var_run_t; files_pid_file(readahead_var_run_t) -@@ -24,14 +24,17 @@ +@@ -23,15 +23,17 @@ + # allow readahead_t self:capability { fowner dac_override dac_read_search }; - dontaudit readahead_t self:capability sys_tty_config; +-dontaudit readahead_t self:capability sys_tty_config; -allow readahead_t self:process signal_perms; ++dontaudit readahead_t self:capability { net_admin sys_tty_config }; +allow readahead_t self:process { setsched signal_perms }; -manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t) @@ -826,12 +828,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) files_pid_filetrans(readahead_t, readahead_var_run_t, file) - kernel_read_kernel_sysctls(readahead_t) -+kernel_read_net_sysctls(readahead_t) +-kernel_read_kernel_sysctls(readahead_t) ++kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) kernel_dontaudit_getattr_core_if(readahead_t) -@@ -46,10 +49,12 @@ +@@ -46,10 +48,12 @@ storage_raw_read_fixed_disk(readahead_t) domain_use_interactive_fds(readahead_t) @@ -844,7 +846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -58,6 +63,7 @@ +@@ -58,6 +62,7 @@ fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) @@ -852,7 +854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) -@@ -72,6 +78,7 @@ +@@ -72,6 +77,7 @@ init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) @@ -2223,7 +2225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-05-08 12:51:11.000000000 -0400 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; @@ -2321,6 +2323,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # GPG agent local policy +@@ -248,5 +266,5 @@ + ') + + optional_policy(` +- xserver_stream_connect(gpg_pinentry_t) ++ xserver_common_app(gpg_pinentry_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.12/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/java.fc 2009-04-23 09:44:57.000000000 -0400 @@ -2360,7 +2369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-04-28 12:20:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-05-08 12:53:35.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2369,7 +2378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -68,3 +69,130 @@ +@@ -68,3 +69,131 @@ domtrans_pattern($1, java_exec_t, unconfined_java_t) corecmd_search_bin($1) ') @@ -2497,12 +2506,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corecmd_bin_domtrans($1_java_t, $1_t) + + optional_policy(` ++ xserver_common_app($1_java_t) + xserver_role($1_r, $1_java_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-04-28 12:19:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-05-08 12:53:24.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2544,7 +2554,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nis_use_ypbind(java_t) ') -@@ -147,4 +151,12 @@ +@@ -131,6 +135,7 @@ + ') + + optional_policy(` ++ xserver_common_app(java_t) + xserver_user_x_domain_template(java, java_t, java_tmpfs_t) + ') + +@@ -147,4 +152,12 @@ unconfined_domain_noaudit(unconfined_java_t) unconfined_dbus_chat(unconfined_java_t) @@ -3167,8 +3185,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,294 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-08 12:52:11.000000000 -0400 +@@ -0,0 +1,293 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3358,8 +3376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type user_tmpfs_t; + ') + xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t) -+ xserver_stream_connect_xdm(nsplugin_t) -+ xserver_stream_connect(nsplugin_t) ++ xserver_common_app(nsplugin_t) + xserver_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) + xserver_read_xdm_pid(nsplugin_t) @@ -3472,8 +3489,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.12/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/openoffice.if 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,92 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/openoffice.if 2009-05-08 12:53:55.000000000 -0400 +@@ -0,0 +1,93 @@ +## Openoffice + +####################################### @@ -3563,6 +3580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $3 $1_openoffice_t:process { signal sigkill }; + allow $1_openoffice_t $3:unix_stream_socket connectto; + optional_policy(` ++ xserver_common_app($1_openoffice_t) + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') @@ -3876,7 +3894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te 2009-04-23 09:48:50.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te 2009-05-08 12:51:50.000000000 -0400 @@ -0,0 +1,111 @@ +policy_module(pulseaudio,1.0.0) + @@ -3977,7 +3995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_common_app(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) -+ xserver_stream_connect(pulseaudio_t) ++ xserver_common_app(pulseaudio_t) + xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) +') @@ -4573,7 +4591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-05-08 12:51:38.000000000 -0400 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -4646,7 +4664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_read_tmp_files(vmware_host_t) + xserver_read_xdm_pid(vmware_host_t) -+ xserver_stream_connect(vmware_host_t) ++ xserver_common_app(vmware_host_t) +') + + @@ -4759,7 +4777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-05-08 12:51:26.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4787,7 +4805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_common_app(wine_t) + xserver_read_xdm_pid(wine_t) -+ xserver_stream_connect(wine_t) ++ xserver_common_app(wine_t) + xserver_rw_shm(wine_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.12/policy/modules/apps/wm.fc @@ -5241,13 +5259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-07 10:28:45.000000000 -0400 -@@ -1,4 +1,4 @@ --## Core policy for domains. -+# Core policy for domains. - ## - ## Contains the concept of a domain. - ## ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-08 11:33:48.000000000 -0400 @@ -525,7 +525,7 @@ ') @@ -5483,7 +5495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-07 10:31:31.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-08 13:00:36.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5639,7 +5651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 modules_object_t:dir search_dir_perms; -+ read_link_file_pattern($1, modules_object_t, modules_object_t) ++ read_lnk_files_pattern($1, modules_object_t, modules_object_t) ') ######################################## @@ -6003,7 +6015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-04 11:25:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-08 11:48:52.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -10511,7 +10523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-30 17:45:01.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-05-08 12:52:48.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -10602,7 +10614,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) - xserver_stream_connect(consolekit_t) +- xserver_stream_connect(consolekit_t) ++ xserver_common_app(consolekit_t) + xserver_ptrace_xdm(consolekit_t) + xserver_common_app(consolekit_t) + corenet_tcp_connect_xserver_port(consolekit_t) @@ -13581,12 +13594,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_file(fetchmail_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-07 10:07:34.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-08 11:59:23.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) + -+/var/lib/fprint gen_context(system_u:object_r:fprintd_var_lib_t,s0) ++/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if --- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-07 10:09:49.000000000 -0400 @@ -20533,6 +20546,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.6.12/policy/modules/services/rhgb.te +--- nsaserefpolicy/policy/modules/services/rhgb.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/rhgb.te 2009-05-08 12:53:02.000000000 -0400 +@@ -118,7 +118,7 @@ + xserver_domtrans(rhgb_t) + xserver_signal(rhgb_t) + xserver_read_xdm_tmp_files(rhgb_t) +-xserver_stream_connect(rhgb_t) ++xserver_common_app(rhgb_t) + + optional_policy(` + consoletype_exec(rhgb_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-23 09:44:57.000000000 -0400 @@ -22699,7 +22724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-30 08:12:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-08 07:53:09.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -22736,7 +22761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type spamassassin_t; type spamassassin_exec_t; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -@@ -51,11 +80,18 @@ +@@ -51,10 +80,18 @@ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; files_tmp_file(spamc_tmp_t) ubac_constrained(spamc_tmp_t) @@ -22745,17 +22770,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type spamd_t; type spamd_exec_t; init_daemon_domain(spamd_t, spamd_exec_t) - ++can_exec(spamd_t, spamd_exec_t) ++ +type spamd_initrc_exec_t; +init_script_file(spamd_initrc_exec_t) + +type spamd_log_t; +logging_log_file(spamd_log_t) -+ + type spamd_spool_t; files_type(spamd_spool_t) - -@@ -110,6 +146,7 @@ +@@ -110,6 +147,7 @@ dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) @@ -22763,7 +22788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -159,6 +196,7 @@ +@@ -159,6 +197,7 @@ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -22771,7 +22796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(spamassassin_t) ') -@@ -195,6 +233,7 @@ +@@ -195,6 +234,7 @@ optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -22779,7 +22804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -216,16 +255,32 @@ +@@ -216,16 +256,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -22812,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -239,6 +294,7 @@ +@@ -239,6 +295,7 @@ corenet_sendrecv_all_client_packets(spamc_t) fs_search_auto_mountpoints(spamc_t) @@ -22820,7 +22845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: these should probably be removed: corecmd_list_bin(spamc_t) -@@ -255,9 +311,15 @@ +@@ -255,9 +312,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -22836,7 +22861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,13 +327,16 @@ +@@ -265,13 +328,16 @@ sysnet_read_config(spamc_t) @@ -22860,7 +22885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -280,16 +345,21 @@ +@@ -280,16 +346,21 @@ ') optional_policy(` @@ -22884,7 +22909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,7 +371,7 @@ +@@ -301,7 +372,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -22893,7 +22918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +387,13 @@ +@@ -317,10 +388,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -22908,7 +22933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +402,11 @@ +@@ -329,10 +403,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -22921,7 +22946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +456,27 @@ +@@ -382,22 +457,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22953,7 +22978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +494,7 @@ +@@ -415,6 +495,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -22961,7 +22986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +504,6 @@ +@@ -424,10 +505,6 @@ ') optional_policy(` @@ -22972,7 +22997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +518,10 @@ +@@ -442,6 +519,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -22983,7 +23008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,5 +534,9 @@ +@@ -454,5 +535,9 @@ ') optional_policy(` @@ -23340,7 +23365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-08 12:48:13.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -23440,7 +23465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) -+ xserver_stream_connect(ssh_t) ++ xserver_common_app(ssh_t) ') ######################################## @@ -24305,7 +24330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-07 15:20:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-08 12:01:14.000000000 -0400 @@ -8,19 +8,31 @@ ## @@ -24399,21 +24424,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +106,12 @@ +@@ -67,7 +106,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +virtual_manage_image(virtd_t) +virtual_image_relabel(virtd_t) -+virtual_read_all_domains_state(virtd_t) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +130,7 @@ +@@ -86,6 +129,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -24421,7 +24445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,29 +141,48 @@ +@@ -96,29 +140,48 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -24473,7 +24497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +193,13 @@ +@@ -129,6 +192,13 @@ logging_send_syslog_msg(virtd_t) @@ -24487,7 +24511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +238,34 @@ +@@ -167,22 +237,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -24527,7 +24551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +278,88 @@ +@@ -195,8 +277,88 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -24711,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-07 14:58:55.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-08 12:47:46.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -24851,15 +24875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -680,6 +680,7 @@ - - files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) -+ xserver_common_app($1) - ') - - ######################################## -@@ -738,6 +739,7 @@ +@@ -738,6 +738,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24867,7 +24883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -756,7 +758,26 @@ +@@ -756,7 +757,26 @@ ') files_search_pids($1) @@ -24895,7 +24911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -779,6 +800,50 @@ +@@ -779,6 +799,50 @@ ######################################## ## @@ -24946,7 +24962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -872,6 +937,27 @@ +@@ -872,6 +936,27 @@ ######################################## ## @@ -24974,7 +24990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1018,10 +1104,11 @@ +@@ -1018,10 +1103,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -24987,15 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1136,6 +1223,7 @@ - - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ xserver_common_app($1) - ') - - ######################################## -@@ -1159,6 +1247,275 @@ +@@ -1159,6 +1245,275 @@ ######################################## ## @@ -25271,7 +25279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1529,102 @@ +@@ -1172,7 +1527,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -25350,6 +25358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # can receive own events + allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; + xserver_communicate($1, $1) ++ xserver_stream_connect($1) + xserver_use_xdm($1) +') + @@ -28175,7 +28184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-05-08 12:50:09.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -30616,7 +30625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-07 10:23:04.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-08 13:06:19.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30978,7 +30987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +421,43 @@ +@@ -420,34 +421,41 @@ ## is the prefix for user_t). ## ## @@ -31023,7 +31032,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_user_client($1, user_tmpfs_t) + xserver_xsession_entry_type($1) + xserver_dontaudit_write_log($1) -+ xserver_stream_connect_xdm($1) # certain apps want to read xdm.pid file - xserver_read_xdm_pid($1_t) + xserver_read_xdm_pid($1) @@ -31033,14 +31041,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) + xserver_manage_xdm_tmp_files($1) -+ xserver_stream_connect($1) + xserver_xdm_dbus_chat($1) + ') + ') ####################################### -@@ -497,11 +507,7 @@ +@@ -497,11 +505,7 @@ attribute unpriv_userdomain; ') @@ -31053,7 +31060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +518,200 @@ +@@ -512,189 +516,200 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -31335,7 +31342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,13 +739,26 @@ +@@ -722,13 +737,26 @@ userdom_base_user_template($1) @@ -31367,7 +31374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -746,70 +776,71 @@ +@@ -746,70 +774,71 @@ allow $1_t self:context contains; @@ -31472,7 +31479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +877,28 @@ +@@ -846,6 +875,28 @@ # Local policy # @@ -31501,16 +31508,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +929,7 @@ +@@ -876,7 +927,10 @@ userdom_restricted_user_template($1) - userdom_xwindows_client_template($1) + userdom_xwindows_client($1_usertype) ++ optional_policy(` ++ xserver_common_app($1_t) ++ ') ############################## # -@@ -884,14 +937,19 @@ +@@ -884,14 +938,19 @@ # auth_role($1_r, $1_t) @@ -31535,7 +31545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +957,33 @@ +@@ -899,28 +958,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -31576,7 +31586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1017,8 @@ +@@ -954,8 +1018,8 @@ # Declarations # @@ -31586,7 +31596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1027,12 @@ +@@ -964,11 +1028,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -31601,7 +31611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1050,55 @@ +@@ -986,37 +1051,55 @@ ') ') @@ -31671,7 +31681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1132,7 @@ +@@ -1050,7 +1133,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -31680,7 +31690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1141,7 @@ +@@ -1059,8 +1142,7 @@ # # Inherit rules for ordinary users. @@ -31690,7 +31700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1164,8 @@ +@@ -1083,7 +1165,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -31700,7 +31710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1181,7 @@ +@@ -1099,6 +1182,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -31708,7 +31718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1189,6 @@ +@@ -1106,8 +1190,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -31717,7 +31727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1243,6 @@ +@@ -1162,20 +1244,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31738,7 +31748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1288,7 @@ +@@ -1221,6 +1289,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31746,7 +31756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1354,15 @@ +@@ -1286,11 +1355,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -31762,7 +31772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1459,7 @@ +@@ -1387,7 +1460,7 @@ ######################################## ## @@ -31771,7 +31781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1492,14 @@ +@@ -1420,6 +1493,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -31786,7 +31796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1515,11 @@ +@@ -1435,9 +1516,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -31798,7 +31808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1576,25 @@ +@@ -1494,6 +1577,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -31824,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1669,8 @@ +@@ -1568,6 +1670,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -31833,7 +31843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1746,7 @@ +@@ -1643,6 +1747,7 @@ type user_home_dir_t, user_home_t; ') @@ -31841,7 +31851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1845,80 @@ +@@ -1741,30 +1846,80 @@ ######################################## ## @@ -31904,7 +31914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`userdom_dontaudit_delete_user_home_content_files',` + gen_require(` + type user_home_t; - ') ++ ') + + allow $1 user_home_t:dir delete_file_perms; +') @@ -31924,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type user_home_dir_t; + attribute user_home_type; -+ ') + ') + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) @@ -31932,7 +31942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1941,46 @@ +@@ -1787,6 +1942,46 @@ ######################################## ## @@ -31979,7 +31989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1993,7 @@ +@@ -1799,6 +1994,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -31987,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2523,7 @@ +@@ -2328,7 +2524,7 @@ ######################################## ## @@ -31996,7 +32006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,12 +3009,12 @@ +@@ -2814,12 +3010,12 @@ type user_tmp_t; ') @@ -32011,7 +32021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2827,17 +3022,17 @@ +@@ -2827,17 +3023,35 @@ ## ## # @@ -32030,14 +32040,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## -## Read the process state of all user domains. +## Do not audit attempts to use user ttys. - ## - ## - ## -@@ -2845,12 +3040,31 @@ - ## - ## - # --interface(`userdom_read_all_users_state',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; @@ -32049,16 +32058,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +######################################## +## +## Read the process state of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_state',` - gen_require(` - attribute userdomain; + ## + ## + ## +@@ -2851,6 +3065,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -32066,7 +32069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3195,481 @@ +@@ -2981,3 +3196,481 @@ allow $1 userdomain:dbus send_msg; ') @@ -32643,8 +32646,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-07 10:24:35.000000000 -0400 -@@ -0,0 +1,135 @@ ++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-08 13:09:00.000000000 -0400 +@@ -0,0 +1,119 @@ +## Virtual machine emulator and virtualizer + +######################################## @@ -32677,6 +32680,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # could be started by libvirt + domain_user_exemption_target($1) ++ ++ optional_policy(` ++ xserver_common_app($1) ++ ') ++ +') + +######################################## @@ -32759,31 +32767,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 virtualdomain:process { setsched transition signal signull sigkill }; +') + -+ -+######################################## -+## -+## Read the process state of all virtual domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virtual_read_all_domains_state',` -+ gen_require(` -+ attribute virtualdomain; -+ ') -+ -+ read_files_pattern($1,virtualdomain,virtualdomain) -+ read_lnk_files_pattern($1,virtualdomain,virtualdomain) -+ kernel_search_proc($1) -+') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,80 @@ ++++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-05-08 13:08:19.000000000 -0400 +@@ -0,0 +1,79 @@ + +policy_module(virtualization, 1.1.2) + @@ -32859,7 +32846,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ xserver_stream_connect(virtualdomain) + xserver_read_xdm_tmp_files(virtualdomain) + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain)