diff --git a/policy-20090105.patch b/policy-20090105.patch index 88955b6..80d80f2 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -5643,7 +5643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.7/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-04 08:43:36.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -9914,7 +9914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.7/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-04 14:39:26.000000000 -0500 @@ -33,6 +33,7 @@ allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:udp_socket create_socket_perms; @@ -14371,7 +14371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.7/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-04 14:40:13.000000000 -0500 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -14392,6 +14392,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_ring_buffer(kerneloops_t) # Init script handling +@@ -46,6 +52,5 @@ + sysnet_dns_name_resolve(kerneloops_t) + + optional_policy(` +- dbus_system_bus_client(kerneloops_t) +- dbus_connect_system_bus(kerneloops_t) ++ dbus_system_domain(kerneloops_t, kerneloops_exec_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.7/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.7/policy/modules/services/ktalk.te 2009-03-03 17:11:59.000000000 -0500 @@ -16728,10 +16736,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + prelude_manage_spool(pads_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.7/policy/modules/services/pcscd.fc +--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.7/policy/modules/services/pcscd.fc 2009-03-04 08:18:35.000000000 -0500 +@@ -1,5 +1,6 @@ + /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) ++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) + + /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.7/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-03 17:11:59.000000000 -0500 -@@ -57,6 +57,14 @@ ++++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-04 08:18:14.000000000 -0500 +@@ -27,9 +27,10 @@ + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file }) ++files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + + corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) +@@ -57,6 +58,14 @@ sysnet_dns_name_resolve(pcscd_t) optional_policy(` @@ -22945,7 +22975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.7/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-04 12:12:58.000000000 -0500 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -23016,7 +23046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ptys(sshd_t) term_setattr_all_user_ptys(sshd_t) term_relabelto_all_user_ptys(sshd_t) -@@ -318,6 +328,13 @@ +@@ -318,16 +328,30 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -23030,22 +23060,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +348,14 @@ - ') - - optional_policy(` -+ kerberos_keytab_template(sshd, sshd_t) + # display the tty. + # some versions of sshd on the new SE Linux require setattr +- userdom_spec_domtrans_all_users(sshd_t) + userdom_signal_all_users(sshd_t) +-',` +') + + userdom_spec_domtrans_unpriv_users(sshd_t) + userdom_signal_unpriv_users(sshd_t) ++ +optional_policy(` -+ xserver_getattr_xauth(sshd_t) ++ kerberos_keytab_template(sshd, sshd_t) +') + +optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) ++ xserver_getattr_xauth(sshd_t) ') -@@ -349,7 +374,11 @@ + optional_policy(` +@@ -349,7 +373,11 @@ ') optional_policy(` @@ -23058,7 +23092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +437,8 @@ +@@ -408,6 +436,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -23558,7 +23592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.7/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-03 18:39:13.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-04 07:37:30.000000000 -0500 @@ -8,20 +8,18 @@ ## @@ -23658,7 +23692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -107,18 +132,25 @@ +@@ -107,18 +132,31 @@ # Init script handling domain_use_interactive_fds(virtd_t) @@ -23671,7 +23705,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) - files_list_kernel_modules(virtd_t) +-files_list_kernel_modules(virtd_t) ++files_read_kernel_modules(virtd_t) ++files_getattr_usr_src_files(virtd_t) ++ ++# Manages /etc/sysconfig/system-config-firewall ++files_manage_etc_files(virtd_t) ++ ++modutils_read_module_deps(virtd_t) fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) @@ -23684,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,7 +161,11 @@ +@@ -129,7 +167,11 @@ logging_send_syslog_msg(virtd_t) @@ -23696,7 +23737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -167,22 +203,25 @@ +@@ -167,22 +209,25 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -23727,7 +23768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -197,6 +236,69 @@ +@@ -197,6 +242,69 @@ xen_stream_connect_xenstore(virtd_t) ') @@ -29385,8 +29426,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.7/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-03 17:11:59.000000000 -0500 -@@ -5,36 +5,86 @@ ++++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-04 13:46:08.000000000 -0500 +@@ -5,6 +5,35 @@ # # Declarations # @@ -29422,14 +29463,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # usage in this module of types created by these # calls is not correct, however we dont currently - # have another method to add access to these types --userdom_base_user_template(unconfined) --userdom_manage_home_role(unconfined_r, unconfined_t) --userdom_manage_tmp_role(unconfined_r, unconfined_t) --userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_restricted_user_template(unconfined) -+#userdom_common_user_template(unconfined) -+#userdom_xwindows_client_template(unconfined) +@@ -13,28 +42,50 @@ + userdom_manage_home_role(unconfined_r, unconfined_t) + userdom_manage_tmp_role(unconfined_r, unconfined_t) + userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +userdom_execmod_user_home_files(unconfined_t) type unconfined_exec_t; @@ -29480,7 +29517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r) -@@ -42,26 +92,46 @@ +@@ -42,26 +93,46 @@ logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) @@ -29529,7 +29566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -102,12 +172,24 @@ +@@ -102,12 +173,24 @@ ') optional_policy(` @@ -29554,7 +29591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,31 +201,33 @@ +@@ -119,31 +202,33 @@ ') optional_policy(` @@ -29595,7 +29632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,36 +239,38 @@ +@@ -155,36 +240,38 @@ ') optional_policy(` @@ -29646,7 +29683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -192,7 +278,7 @@ +@@ -192,7 +279,7 @@ ') optional_policy(` @@ -29655,7 +29692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -204,11 +290,12 @@ +@@ -204,11 +291,12 @@ ') optional_policy(` @@ -29670,7 +29707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -218,14 +305,61 @@ +@@ -218,14 +306,61 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -29748,7 +29785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-03 18:02:25.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-04 13:47:45.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -30457,22 +30494,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +736,29 @@ +@@ -722,13 +736,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) -+ userdom_change_password_template($1) -+ + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -30483,17 +30516,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') + ') -- userdom_change_password_template($1) + userdom_change_password_template($1) - ############################## - # -@@ -746,70 +774,72 @@ +@@ -746,70 +773,71 @@ allow $1_t self:context contains; @@ -30513,6 +30546,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) ++ files_dontaudit_list_default($1_usertype) ++ files_dontaudit_read_default_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) @@ -30523,18 +30558,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - fs_search_auto_mountpoints($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) -+ files_dontaudit_list_default($1_usertype) -+ files_dontaudit_read_default_files($1_usertype) - -- auth_dontaudit_write_login_records($1_t) + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) + auth_dontaudit_write_login_records($1_t) +- - application_exec_all($1_t) -+ auth_dontaudit_write_login_records($1_t) + auth_rw_cache($1_t) # The library functions always try to open read-write first, @@ -30599,7 +30631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +876,28 @@ +@@ -846,6 +874,28 @@ # Local policy # @@ -30628,7 +30660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +928,7 @@ +@@ -876,7 +926,7 @@ userdom_restricted_user_template($1) @@ -30637,7 +30669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +936,19 @@ +@@ -884,14 +934,19 @@ # auth_role($1_r, $1_t) @@ -30662,7 +30694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +956,29 @@ +@@ -899,28 +954,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -30700,17 +30732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +989,7 @@ - ## - ## - ##

--## The template for creating a unprivileged user roughly --## equivalent to a regular linux user. -+## The template containing the most basic rules common to all users. - ##

- ##

- ## This template creates a user domain, types, and -@@ -954,8 +1011,8 @@ +@@ -954,8 +1010,8 @@ # Declarations # @@ -30720,7 +30742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1021,12 @@ +@@ -964,11 +1020,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -30735,7 +30757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1044,47 @@ +@@ -986,37 +1043,47 @@ ') ') @@ -30797,7 +30819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1118,7 @@ +@@ -1050,7 +1117,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -30806,7 +30828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1127,7 @@ +@@ -1059,8 +1126,7 @@ # # Inherit rules for ordinary users. @@ -30816,7 +30838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1150,8 @@ +@@ -1083,7 +1149,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -30826,7 +30848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1167,7 @@ +@@ -1099,6 +1166,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -30834,7 +30856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1175,6 @@ +@@ -1106,8 +1174,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30843,7 +30865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1229,6 @@ +@@ -1162,20 +1228,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30864,7 +30886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1274,7 @@ +@@ -1221,6 +1273,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30872,7 +30894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1340,15 @@ +@@ -1286,11 +1339,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -30888,7 +30910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1445,7 @@ +@@ -1387,7 +1444,7 @@ ######################################## ##

@@ -30897,7 +30919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1478,14 @@ +@@ -1420,6 +1477,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -30912,7 +30934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1501,11 @@ +@@ -1435,9 +1500,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -30924,7 +30946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1562,25 @@ +@@ -1494,6 +1561,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -30950,19 +30972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1634,9 @@ - type user_home_dir_t, user_home_t; - ') - -- domain_auto_trans($1, user_home_t, $2) -- allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) -+ allow $1 user_home_dir_t:dir search_dir_perms; -+ domain_auto_trans($1, user_home_t, $2) - ') - - ######################################## -@@ -1568,6 +1655,8 @@ +@@ -1568,6 +1654,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -30971,7 +30981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1732,7 @@ +@@ -1643,6 +1731,7 @@ type user_home_dir_t, user_home_t; ') @@ -30979,7 +30989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1831,62 @@ +@@ -1741,6 +1830,62 @@ ######################################## ## @@ -31042,7 +31052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1903,6 @@ +@@ -1757,14 +1902,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -31057,7 +31067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1925,46 @@ +@@ -1787,6 +1924,46 @@ ######################################## ## @@ -31104,7 +31114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1977,7 @@ +@@ -1799,6 +1976,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -31112,135 +31122,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -1921,7 +2100,7 @@ - - ######################################## - ## --## Create objects in a user home directory -+## Create objects in the /root directory - ## with an automatic type transition to - ## a specified private type. - ## -@@ -1941,28 +2120,58 @@ - ## - ## - # --interface(`userdom_user_home_content_filetrans',` -+interface(`userdom_admin_home_dir_filetrans',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ type admin_home_t; - ') - -- filetrans_pattern($1, user_home_t, $2, $3) -- allow $1 user_home_dir_t:dir search_dir_perms; -- files_search_home($1) -+ filetrans_pattern($1, admin_home_t, $2, $3) - ') +@@ -2328,7 +2506,7 @@ ######################################## ## - ## Create objects in a user home directory - ## with an automatic type transition to --## the user home file type. -+## a specified private type. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## -+## -+## The type of the object to create. -+## -+## -+## -+## -+## The class of the object to be created. -+## -+## -+# -+interface(`userdom_user_home_content_filetrans',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ filetrans_pattern($1, user_home_t, $2, $3) -+ allow $1 user_home_dir_t:dir search_dir_perms; -+ files_search_home($1) -+') -+ -+######################################## -+## -+## Create objects in a user home directory -+## with an automatic type transition to -+## the user home file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - ## - ## The class of the object to be created. - ## -@@ -2336,6 +2545,27 @@ - ## - ## - # -+interface(`userdom_read_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ allow $1 user_tmpfs_t:dir list_dir_perms; -+ fs_search_tmpfs($1) -+') -+ -+######################################## -+## +-## Read user tmpfs files. +## Read/Write user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# - interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; -@@ -2709,6 +2939,24 @@ - - ######################################## - ## -+## Send signull to unprivileged user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_signull_unpriv_users',` -+ gen_require(` -+ attribute unpriv_userdomain; -+ ') -+ -+ allow $1 unpriv_userdomain:process signull; -+') -+ -+######################################## -+## - ## Inherit the file descriptors from unprivileged user domains. ## ## -@@ -2814,7 +3062,43 @@ + ## +@@ -2814,7 +2992,25 @@ type user_tmp_t; ') @@ -31250,24 +31141,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Write all users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_write_user_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ write_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## +## Delete all users files in /tmp +## +## @@ -31285,7 +31158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3135,7 @@ +@@ -2851,6 +3047,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -31293,32 +31166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3250,24 @@ - - ######################################## - ## -+## Manage keys for all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_all_users_keys',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:key manage_key_perms; -+') -+ -+######################################## -+## - ## Send a dbus message to all user domains. - ## - ## -@@ -2981,3 +3284,338 @@ +@@ -2981,3 +3178,462 @@ allow $1 userdomain:dbus send_msg; ') @@ -31549,6 +31397,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Add attrinute admin domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_admin',` ++ gen_require(` ++ attribute admin_userdomain; ++ ') ++ ++ typeattribute $1 admin_userdomain; ++') ++ ++######################################## ++## +## Send a message to unpriv users over a unix domain +## datagram socket. +## @@ -31657,9 +31523,115 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + type_transition $1 user_home_dir_t:$2 user_home_t; +') ++ ++######################################## ++## ++## Create objects in the /root directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`userdom_admin_home_dir_filetrans',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ filetrans_pattern($1, admin_home_t, $2, $3) ++') ++ ++######################################## ++## ++## Send signull to unprivileged user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_signull_unpriv_users',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:process signull; ++') ++ ++######################################## ++## ++## Read user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ allow $1 user_tmpfs_t:dir list_dir_perms; ++ fs_search_tmpfs($1) ++') ++ ++######################################## ++## ++## Write all users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_user_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ write_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++######################################## ++## ++## Manage keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key manage_key_perms; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-04 13:46:42.000000000 -0500 @@ -8,13 +8,6 @@ ## diff --git a/selinux-policy.spec b/selinux-policy.spec index 4a1f98a..12f2f7d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.7 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Wed Mar 4 2009 Dan Walsh 3.6.7-2 +- Fixes for libvirt + * Mon Mar 2 2009 Dan Walsh 3.6.7-1 - Update to Latest upstream