rpms/selinux-policy/F-13 policy-F13.patch,1.118,1.119
Daniel J Walsh
dwalsh at fedoraproject.org
Mon May 24 21:33:15 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13573
Modified Files:
policy-F13.patch
Log Message:
* Mon May 24 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: #594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 +++
policy/modules/admin/accountsd.te | 56 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.te | 5
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 110 +-
policy/modules/admin/shorewall.te | 6
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 21
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 ++
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 1
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 6
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 385 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 13
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 32
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 32
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 91 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 112 ++
policy/modules/kernel/files.fc | 27
policy/modules/kernel/files.if | 653 ++++++++++++
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 34
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 98 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 435 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 9
policy/modules/services/abrt.if | 201 +++
policy/modules/services/abrt.te | 160 ++
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 44
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 118 ++
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 203 +++
policy/modules/services/apache.te | 234 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/bluetooth.if | 21
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 93 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 243 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 77 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 14
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 38
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 101 +
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.te | 67 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 76 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 47
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 533 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 37
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.te | 11
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 25
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 126 ++
policy/modules/services/networkmanager.te | 127 ++
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 187 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 +++++
policy/modules/services/postfix.te | 152 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 229 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 +++++++
policy/modules/services/rhcs.te | 240 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 1
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 59 -
policy/modules/services/virt.te | 99 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 451 ++++++++
policy/modules/services/xserver.te | 410 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 216 +++-
policy/modules/system/ipsec.te | 17
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 21
policy/modules/system/iscsi.if | 18
policy/modules/system/libraries.fc | 152 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 23
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 +++
policy/modules/system/mount.te | 152 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 25
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 11
policy/modules/system/userdomain.if | 1614 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 54 -
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 14
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
407 files changed, 23316 insertions(+), 2150 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -p -r1.118 -r1.119
--- policy-F13.patch 24 May 2010 21:06:59 -0000 1.118
+++ policy-F13.patch 24 May 2010 21:33:14 -0000 1.119
@@ -32868,8 +32868,8 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -28,6 +28,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-05-24 17:32:23.000000000 -0400
+@@ -28,10 +28,12 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -32877,6 +32877,11 @@ diff --exclude-from=exclude -N -u -r nsa
#
# /sbin
+ #
++/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-22 12:09:51.000000000 -0400
@@ -33296,7 +33301,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-20 09:42:45.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-05-24 17:17:58.000000000 -0400
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -33338,7 +33343,7 @@ diff --exclude-from=exclude -N -u -r nsa
# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
++allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+allow mount_t self:process { getcap getsched ptrace setcap signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
@@ -35833,8 +35838,8 @@ diff --exclude-from=exclude -N -u -r nsa
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 14:15:38.000000000 -0400
-@@ -1,4 +1,12 @@
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 17:24:42.000000000 -0400
+@@ -1,4 +1,13 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -35844,13 +35849,14 @@ diff --exclude-from=exclude -N -u -r nsa
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
-+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 14:25:06.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 17:22:40.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -36135,7 +36141,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -303,6 +319,47 @@
+@@ -303,6 +319,27 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -36160,30 +36166,10 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
+ files_search_home($1)
-+')
-+
-+#######################################
-+## <summary>
-+## Execute user bin files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_exec_user_bin_files',`
-+ gen_require(`
-+ attribute user_home_type;
-+ type home_bin_t, user_home_dir_t;
-+ ')
-+
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
-+ files_search_home($1)
')
#######################################
-@@ -322,6 +379,7 @@
+@@ -322,6 +359,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -36191,7 +36177,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_tmp($1)
')
-@@ -368,46 +426,41 @@
+@@ -368,46 +406,41 @@
#######################################
## <summary>
@@ -36213,10 +36199,12 @@ diff --exclude-from=exclude -N -u -r nsa
- gen_require(`
- type $1_t;
- ')
--
++interface(`userdom_basic_networking',`
+
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++ allow $1 self:tcp_socket create_stream_socket_perms;
++ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -36228,9 +36216,7 @@ diff --exclude-from=exclude -N -u -r nsa
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-+ allow $1 self:tcp_socket create_stream_socket_perms;
-+ allow $1 self:udp_socket create_socket_perms;
-
+-
- corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
@@ -36258,7 +36244,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -438,6 +491,7 @@
+@@ -438,6 +471,7 @@
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -36266,7 +36252,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -498,7 +552,7 @@
+@@ -498,7 +532,7 @@
attribute unpriv_userdomain;
')
@@ -36275,7 +36261,7 @@ diff --exclude-from=exclude -N -u -r nsa
##############################
#
-@@ -508,71 +562,78 @@
+@@ -508,71 +542,78 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -36296,27 +36282,27 @@ diff --exclude-from=exclude -N -u -r nsa
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -36392,7 +36378,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`user_ttyfile_stat',`
-@@ -580,65 +641,108 @@
+@@ -580,65 +621,108 @@
')
optional_policy(`
@@ -36404,19 +36390,19 @@ diff --exclude-from=exclude -N -u -r nsa
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ canna_stream_connect($1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
++ chrome_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -36432,58 +36418,58 @@ diff --exclude-from=exclude -N -u -r nsa
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_var_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_var_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ git_session_role($1_r, $1_usertype)
+ ')
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
++ git_session_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
')
@@ -36506,20 +36492,20 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
++ ')
++
++ optional_policy(`
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -649,41 +753,50 @@
+@@ -649,41 +733,50 @@
optional_policy(`
# to allow monitoring of pcmcia status
@@ -36546,42 +36532,42 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
- resmgr_stream_connect($1_t)
+ resmgr_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpc_dontaudit_getattr_exports($1_usertype)
++ rpc_manage_nfs_rw_content($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ slrnpull_search_spool($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
+
++ optional_policy(`
++ seunshare_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
')
#######################################
-@@ -711,13 +824,26 @@
+@@ -711,13 +804,26 @@
userdom_base_user_template($1)
@@ -36590,12 +36576,14 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -36603,9 +36591,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -36613,7 +36599,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_change_password_template($1)
-@@ -735,70 +861,73 @@
+@@ -735,70 +841,73 @@
allow $1_t self:context contains;
@@ -36678,10 +36664,10 @@ diff --exclude-from=exclude -N -u -r nsa
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
-+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -36720,7 +36706,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -830,12 +959,35 @@
+@@ -830,12 +939,35 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36756,7 +36742,7 @@ diff --exclude-from=exclude -N -u -r nsa
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +1023,83 @@
+@@ -871,45 +1003,83 @@
#
auth_role($1_r, $1_t)
@@ -36831,14 +36817,14 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ pulseaudio_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-+ pulseaudio_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -36855,7 +36841,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -944,7 +1134,7 @@
+@@ -944,7 +1114,7 @@
#
# Inherit rules for ordinary users.
@@ -36864,7 +36850,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_common_user_template($1)
##############################
-@@ -953,54 +1143,73 @@
+@@ -953,54 +1123,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -36913,36 +36899,36 @@ diff --exclude-from=exclude -N -u -r nsa
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
+ cdrecord_role($1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
-+ cron_role($1_r, $1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
-+ games_rw_data($1_usertype)
+ ')
+
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ cron_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
-+ gnomeclock_dbus_chat($1_t)
++ games_rw_data($1_usertype)
+ ')
+
+ optional_policy(`
-+ gpm_stream_connect($1_usertype)
++ gpg_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ execmem_role_template($1, $1_r, $1_t)
++ gnomeclock_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
++ gpm_stream_connect($1_usertype)
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
++ execmem_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ java_role_template($1, $1_r, $1_t)
+ ')
+
@@ -36968,7 +36954,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -1036,7 +1245,7 @@
+@@ -1036,7 +1225,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36977,7 +36963,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
##############################
-@@ -1071,6 +1280,9 @@
+@@ -1071,6 +1260,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36987,7 +36973,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1297,7 @@
+@@ -1085,6 +1277,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36995,7 +36981,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1116,10 +1329,13 @@
+@@ -1116,10 +1309,13 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -37009,7 +36995,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1139,6 +1355,7 @@
+@@ -1139,6 +1335,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -37017,7 +37003,7 @@ diff --exclude-from=exclude -N -u -r nsa
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1424,8 @@
+@@ -1207,6 +1404,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -37026,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1453,7 @@
+@@ -1234,6 +1433,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -37034,7 +37020,7 @@ diff --exclude-from=exclude -N -u -r nsa
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1492,15 @@
+@@ -1272,11 +1472,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -37050,7 +37036,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1387,6 +1611,7 @@
+@@ -1387,6 +1591,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -37058,7 +37044,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_home($1)
')
-@@ -1433,6 +1658,14 @@
+@@ -1433,6 +1638,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -37073,7 +37059,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1448,9 +1681,11 @@
+@@ -1448,9 +1661,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -37085,7 +37071,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1507,6 +1742,42 @@
+@@ -1507,6 +1722,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -37128,7 +37114,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1581,6 +1852,8 @@
+@@ -1581,6 +1832,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -37137,7 +37123,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1595,10 +1868,12 @@
+@@ -1595,10 +1848,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -37152,7 +37138,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1641,6 +1916,24 @@
+@@ -1641,6 +1896,24 @@
########################################
## <summary>
@@ -37177,7 +37163,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1692,6 +1985,7 @@
+@@ -1692,6 +1965,7 @@
type user_home_dir_t, user_home_t;
')
@@ -37185,7 +37171,7 @@ diff --exclude-from=exclude -N -u -r nsa
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +2002,14 @@
+@@ -1708,11 +1982,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -37203,7 +37189,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1802,8 +2099,7 @@
+@@ -1802,8 +2079,7 @@
type user_home_dir_t, user_home_t;
')
@@ -37213,7 +37199,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1815,24 +2111,17 @@
+@@ -1815,25 +2091,18 @@
## Domain allowed access.
## </summary>
## </param>
@@ -37231,18 +37217,19 @@ diff --exclude-from=exclude -N -u -r nsa
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -1866,6 +2155,7 @@
+ ## Do not audit attempts to execute user home files.
+@@ -1866,6 +2135,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -37250,11 +37237,53 @@ diff --exclude-from=exclude -N -u -r nsa
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2392,25 @@
+@@ -2102,7 +2372,7 @@
########################################
## <summary>
+-## Do not audit attempts to list user
+## Do not audit attempts to search user
+ ## temporary directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2111,17 +2381,17 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_list_user_tmp',`
++interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:dir list_dir_perms;
++ dontaudit $1 user_tmp_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to manage users
++## Do not audit attempts to list user
+ ## temporary directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2130,12 +2400,31 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_manage_user_tmp_dirs',`
++interface(`userdom_dontaudit_list_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tmp_t:dir manage_dir_perms;
++ dontaudit $1 user_tmp_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to manage users
+## temporary directories.
+## </summary>
+## <param name="domain">
@@ -37263,20 +37292,16 @@ diff --exclude-from=exclude -N -u -r nsa
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_search_user_tmp',`
++interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to list user
- ## temporary directories.
- ## </summary>
-@@ -2218,6 +2527,25 @@
++ dontaudit $1 user_tmp_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+@@ -2218,6 +2507,25 @@
########################################
## <summary>
@@ -37302,7 +37327,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to manage users
## temporary files.
## </summary>
-@@ -2427,13 +2755,14 @@
+@@ -2427,13 +2735,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37318,7 +37343,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2783,24 @@
+@@ -2454,6 +2763,24 @@
########################################
## <summary>
@@ -37343,7 +37368,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3094,25 @@
+@@ -2747,6 +3074,25 @@
########################################
## <summary>
@@ -37369,7 +37394,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3153,7 @@
+@@ -2787,7 +3133,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37378,7 +37403,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3169,13 @@
+@@ -2803,11 +3149,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37394,7 +37419,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2944,7 +3312,7 @@
+@@ -2944,7 +3292,7 @@
type user_tmp_t;
')
@@ -37403,7 +37428,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2981,6 +3349,7 @@
+@@ -2981,6 +3329,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -37411,7 +37436,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_search_proc($1)
')
-@@ -3111,3 +3480,682 @@
+@@ -3111,3 +3460,682 @@
allow $1 userdomain:dbus send_msg;
')
More information about the scm-commits
mailing list