diff --git a/policy-20071130.patch b/policy-20071130.patch index c3db258..8dc90d8 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2035,7 +2035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.5/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/java.if 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/java.if 2007-12-19 16:29:03.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -2124,7 +2124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +272,66 @@ +@@ -219,3 +272,67 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -2191,10 +2191,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + role $2 types java_t; + allow java_t $3:chr_file rw_term_perms; +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.2.5/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/java.te 2007-12-19 05:38:08.000000000 -0500 -@@ -6,13 +6,6 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/java.te 2007-12-19 16:44:59.000000000 -0500 +@@ -6,16 +6,10 @@ # Declarations # @@ -2208,7 +2209,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te type java_t; type java_exec_t; init_system_domain(java_t,java_exec_t) -@@ -23,11 +16,23 @@ ++typealias java_t alias unconfined_java_t; + + ######################################## + # +@@ -23,11 +17,23 @@ # # execheap is needed for itanium/BEA jrocket @@ -2246,7 +2251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.5/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mono.if 2007-12-19 16:28:53.000000000 -0500 @@ -18,3 +18,105 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) @@ -6838,6 +6843,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet +optional_policy(` + inetd_service_domain(inetd_child_t,bin_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te +--- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500 +@@ -22,7 +22,7 @@ + files_pid_file(innd_var_run_t) + + type news_spool_t; +-files_type(news_spool_t) ++files_mountpoint(news_spool_t) + + ######################################## + # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500 @@ -8285,7 +8302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 09:39:14.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500 @@ -0,0 +1,63 @@ +policy_module(polkit_auth,1.0.0) + @@ -8303,7 +8320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +files_type(polkit_var_lib_t) + +type polkit_var_run_t; -+files_pid_files(polkit_var_run_t) ++files_pid_file(polkit_var_run_t) + +######################################## +# @@ -13759,7 +13776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 16:24:05.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -13794,7 +13811,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -589,7 +589,7 @@ +@@ -581,7 +581,6 @@ + interface(`unconfined_dbus_connect',` + gen_require(` + type unconfined_t; +- class dbus acquire_svc; + ') + + allow $1 unconfined_t:dbus acquire_svc; +@@ -589,7 +588,7 @@ ######################################## ## @@ -13803,7 +13828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## ## -@@ -597,20 +597,53 @@ +@@ -597,20 +596,53 @@ ## ## # @@ -13864,7 +13889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## ## -@@ -618,31 +651,132 @@ +@@ -618,31 +650,132 @@ ## ## # @@ -14009,7 +14034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2007-12-19 16:35:02.000000000 -0500 @@ -9,32 +9,48 @@ # usage in this module of types created by these # calls is not correct, however we dont currently @@ -14184,12 +14209,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +203,22 @@ +@@ -205,11 +203,30 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` +- xserver_domtrans_xdm_xserver(unconfined_t) ++ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++') ++ ++optional_policy(` ++ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) +') + +optional_policy(` @@ -14200,34 +14234,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - ') - - optional_policy(` -- xserver_domtrans_xdm_xserver(unconfined_t) ++') ++ ++optional_policy(` + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## -@@ -219,14 +228,35 @@ +@@ -219,14 +236,36 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t unconfined_t:process transition; optional_policy(` ++ init_dbus_chat_script(unconfined_execmem_t) ++ dbus_stub(unconfined_execmem_t) - init_dbus_chat_script(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) +- init_dbus_chat_script(unconfined_execmem_t) + dbus_connect_system_bus(unconfined_execmem_t) + unconfined_dbus_connect(unconfined_execmem_t) -+ -+ optional_policy(` -+ avahi_dbus_chat(unconfined_execmem_t) -+ ') + unconfined_dbus_chat(unconfined_execmem_t) optional_policy(` ++ avahi_dbus_chat(unconfined_execmem_t) ++ ') ++ ++ optional_policy(` hal_dbus_chat(unconfined_execmem_t) ') + @@ -14260,7 +14295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2007-12-19 16:35:24.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -14945,7 +14980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1025,16 +991,37 @@ +@@ -1025,16 +991,29 @@ # # privileged home directory writers @@ -14973,23 +15008,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + cups_dbus_chat($1_usertype) + ') + ') -+ -+ optional_policy(` -+ java_per_role_template($1, $1_t, $1_r) -+ ') optional_policy(` loadkeys_run($1_t,$1_r,$1_tty_device_t) ') + -+ optional_policy(` -+ mono_per_role_template($1, $1_t, $1_r) -+ ') -+ ') ####################################### -@@ -1062,6 +1049,13 @@ +@@ -1062,6 +1041,13 @@ userdom_restricted_user_template($1) @@ -15003,7 +15030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1070,14 +1064,14 @@ +@@ -1070,14 +1056,14 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -15023,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,33 +1079,14 @@ +@@ -1085,33 +1071,14 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -15045,14 +15072,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - optional_policy(` - java_per_role_template($1, $1_t, $1_r) -- ') -- -- optional_policy(` -- mono_per_role_template($1, $1_t, $1_r) + alsa_read_rw_config($1_usertype) ') - optional_policy(` +- mono_per_role_template($1, $1_t, $1_r) +- ') +- +- optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed @@ -15063,7 +15090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1121,10 +1096,10 @@ +@@ -1121,10 +1088,10 @@ ## ## ##

@@ -15078,7 +15105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1162,11 @@ +@@ -1187,12 +1154,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -15093,7 +15120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1278,8 +1252,6 @@ +@@ -1278,8 +1244,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -15102,7 +15129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1416,6 +1388,7 @@ +@@ -1416,6 +1380,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -15110,7 +15137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1754,14 @@ +@@ -1781,10 +1746,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -15126,7 +15153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1857,11 @@ +@@ -1880,11 +1849,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -15140,7 +15167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1891,11 @@ +@@ -1914,11 +1883,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -15154,7 +15181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1939,12 @@ +@@ -1962,12 +1931,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -15170,7 +15197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1974,10 @@ +@@ -1997,10 +1966,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -15183,7 +15210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2009,47 @@ +@@ -2032,11 +2001,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -15233,7 +15260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2081,10 @@ +@@ -2068,10 +2073,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -15246,7 +15273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2114,11 @@ +@@ -2101,11 +2106,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -15260,7 +15287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2148,11 @@ +@@ -2135,11 +2140,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -15275,7 +15302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2182,10 @@ +@@ -2169,10 +2174,10 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -15288,7 +15315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2202,11 +2215,11 @@ +@@ -2202,11 +2207,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -15302,7 +15329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2249,11 @@ +@@ -2236,11 +2241,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -15316,7 +15343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2283,10 @@ +@@ -2270,10 +2275,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -15329,7 +15356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2318,12 @@ +@@ -2305,12 +2310,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -15345,7 +15372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2355,10 @@ +@@ -2342,10 +2347,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -15358,7 +15385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2390,12 @@ +@@ -2377,12 +2382,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -15374,7 +15401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2427,12 @@ +@@ -2414,12 +2419,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -15390,7 +15417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2464,12 @@ +@@ -2451,12 +2456,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -15406,7 +15433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2514,11 @@ +@@ -2501,11 +2506,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -15420,7 +15447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2563,11 @@ +@@ -2550,11 +2555,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -15434,7 +15461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2607,11 @@ +@@ -2594,11 +2599,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -15448,7 +15475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2641,11 @@ +@@ -2628,11 +2633,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -15462,7 +15489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2675,11 @@ +@@ -2662,11 +2667,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -15476,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2711,10 @@ +@@ -2698,10 +2703,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -15489,7 +15516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2746,10 @@ +@@ -2733,10 +2738,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -15502,7 +15529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2779,12 @@ +@@ -2766,12 +2771,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -15518,7 +15545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2816,10 @@ +@@ -2803,10 +2808,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -15531,7 +15558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2851,48 @@ +@@ -2838,10 +2843,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -15582,7 +15609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2922,12 @@ +@@ -2871,12 +2914,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -15598,7 +15625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2959,10 @@ +@@ -2908,10 +2951,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -15611,7 +15638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +2994,12 @@ +@@ -2943,12 +2986,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -15627,7 +15654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3031,11 @@ +@@ -2980,11 +3023,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -15641,7 +15668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3067,11 @@ +@@ -3016,11 +3059,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -15655,7 +15682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3103,11 @@ +@@ -3052,11 +3095,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -15669,7 +15696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3139,11 @@ +@@ -3088,11 +3131,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -15683,7 +15710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3175,11 @@ +@@ -3124,11 +3167,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -15697,7 +15724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3224,10 @@ +@@ -3173,10 +3216,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -15710,7 +15737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3268,10 @@ +@@ -3217,10 +3260,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -15723,7 +15750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4225,11 +4276,11 @@ +@@ -4225,11 +4268,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -15737,7 +15764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4296,10 @@ +@@ -4245,10 +4288,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -15750,7 +15777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4315,11 @@ +@@ -4264,11 +4307,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -15764,7 +15791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4334,16 @@ +@@ -4283,16 +4326,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -15784,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,12 +4352,27 @@ +@@ -4301,12 +4344,27 @@ ## ## # @@ -15815,7 +15842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4321,13 +4387,13 @@ +@@ -4321,13 +4379,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -15833,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4591,10 @@ +@@ -4525,10 +4583,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -15846,7 +15873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4611,10 @@ +@@ -4545,10 +4603,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -15859,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4629,10 @@ +@@ -4563,10 +4621,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -15872,7 +15899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4648,10 @@ +@@ -4582,10 +4640,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -15885,7 +15912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4666,10 @@ +@@ -4600,10 +4658,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -15898,7 +15925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4685,10 @@ +@@ -4619,10 +4677,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -15911,7 +15938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4704,11 @@ +@@ -4638,12 +4696,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -15927,7 +15954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4735,10 @@ +@@ -4670,10 +4727,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -15940,7 +15967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4753,10 @@ +@@ -4688,10 +4745,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -15953,7 +15980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4771,13 @@ +@@ -4706,13 +4763,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -15971,7 +15998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,16 +4813,15 @@ +@@ -4748,16 +4805,15 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -15991,7 +16018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ##

-@@ -4765,18 +4829,18 @@ +@@ -4765,18 +4821,18 @@ ## ## # @@ -16013,7 +16040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -4784,18 +4848,64 @@ +@@ -4784,33 +4840,79 @@ ## ## # @@ -16033,18 +16060,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## -## Do not audit attempts to search all users home directories. +## List all users home directories. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`userdom_dontaudit_search_all_users_home_content',` +interface(`userdom_list_all_users_home_dirs',` -+ gen_require(` + gen_require(` +- attribute home_dir_type, home_type; + attribute home_dir_type; -+ ') -+ + ') + +- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; +-') +- + files_list_home($1) + allow $1 home_dir_type:dir list_dir_perms; + @@ -16079,10 +16112,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +######################################## +## +## Do not audit attempts to search all users home directories. - ## - ## - ## -@@ -5109,7 +5219,7 @@ ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_search_all_users_home_content',` ++ gen_require(` ++ attribute home_dir_type, home_type; ++ ') ++ ++ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; ++') ++ + ######################################## + ## + ## Read all files in all users home directories. +@@ -5109,7 +5211,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -16091,7 +16139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5408,49 @@ +@@ -5298,6 +5400,49 @@ ######################################## ## @@ -16141,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5656,24 @@ +@@ -5503,6 +5648,24 @@ ######################################## ## @@ -16166,7 +16214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5839,42 @@ +@@ -5668,6 +5831,42 @@ ######################################## ## @@ -16209,7 +16257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5905,277 @@ +@@ -5698,3 +5897,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -16984,12 +17032,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.2.5/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/users/guest.te 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,4 @@ ++++ serefpolicy-3.2.5/policy/modules/users/guest.te 2007-12-19 16:37:00.000000000 -0500 +@@ -0,0 +1,12 @@ +policy_module(guest,1.0.1) +userdom_restricted_user_template(guest) -+userdom_restricted_user_template(gadmin) + ++optional_policy(` ++ java_per_role_template(guest, guest_t, guest_r) ++') ++ ++optional_policy(` ++ mono_per_role_template(guest, guest_t, guest_r) ++') ++ ++userdom_restricted_user_template(gadmin) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.2.5/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/users/logadm.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17088,8 +17144,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.2.5/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/users/xguest.te 2007-12-19 05:38:09.000000000 -0500 -@@ -0,0 +1,55 @@ ++++ serefpolicy-3.2.5/policy/modules/users/xguest.te 2007-12-19 16:36:37.000000000 -0500 +@@ -0,0 +1,66 @@ +policy_module(xguest,1.0.1) + +## @@ -17115,7 +17171,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. + +userdom_restricted_xwindows_user_template(xguest) + -+mozilla_per_role_template(xguest, xguest_t, xguest_r) ++optional_policy(` ++ mozilla_per_role_template(xguest, xguest_t, xguest_r) ++') ++ ++optional_policy(` ++ java_per_role_template(xguest, xguest_t, xguest_r) ++') ++ ++optional_policy(` ++ mono_per_role_template(xguest, xguest_t, xguest_r) ++') + +# Allow mounting of file systems +optional_policy(` @@ -17145,6 +17211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. + bluetooth_dbus_chat(xguest_t) + ') +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.5/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt 2007-12-19 05:38:09.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index ffa2c2e..b4e7761 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -104,6 +104,7 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ %nil %define fileList() \ @@ -382,6 +383,9 @@ exit 0 %endif %changelog +* Wed Dec 19 2007 Dan Walsh 3.2.5-2 +- Zero out customizable types + * Wed Dec 19 2007 Dan Walsh 3.2.5-1 - Fix definiton of admin_home_t