[selinux-policy/f13/master] - Add namespace policy - Update for screen policy to handle pipe in homedir - Fixes for polyinstatia
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 14 14:24:14 UTC 2011
commit bd7b2f00f1ec4387405e836823fda7aa870d6014
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 14 15:23:41 2011 +0000
- Add namespace policy
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
modules-mls.conf | 7 +
modules-targeted.conf | 7 +
policy-F13.patch | 432 +++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 7 +-
4 files changed, 335 insertions(+), 118 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index bbf854f..b994d4d 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2082,3 +2082,10 @@ shorewall = base
# Policy for shutdown
#
shutdown = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f302c42..dc9e340 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2230,3 +2230,10 @@ milter = module
# Foundation websites.
#
mediawiki = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/policy-F13.patch b/policy-F13.patch
index 53d5d35..cdb4f4a 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2581,8 +2581,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-10-26 10:35:13.462651140 +0200
-@@ -0,0 +1,68 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-01-14 14:43:24.000042258 +0100
+@@ -0,0 +1,70 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -2618,6 +2618,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
++kernel_read_system_state(shutdown_t)
++
+files_read_etc_files(shutdown_t)
+files_read_generic_pids(shutdown_t)
+
@@ -5787,6 +5789,105 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+ pulseaudio_stream_connect(mplayer_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.fc serefpolicy-3.7.19/policy/modules/apps/namespace.fc
+--- nsaserefpolicy/policy/modules/apps/namespace.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/namespace.fc 2011-01-14 14:26:59.318042402 +0100
+@@ -0,0 +1,3 @@
++
++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.if serefpolicy-3.7.19/policy/modules/apps/namespace.if
+--- nsaserefpolicy/policy/modules/apps/namespace.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/namespace.if 2011-01-14 14:26:59.318042402 +0100
+@@ -0,0 +1,46 @@
++
++## <summary>policy for namespace</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run namespace_init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`namespace_init_domtrans',`
++ gen_require(`
++ type namespace_init_t, namespace_init_exec_t;
++ ')
++
++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
++')
++
++
++########################################
++## <summary>
++## Execute namespace_init in the namespace_init domain, and
++## allow the specified role the namespace_init domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the namespace_init domain.
++## </summary>
++## </param>
++#
++interface(`namespace_init_run',`
++ gen_require(`
++ type namespace_init_t;
++ ')
++
++ namespace_init_domtrans($1)
++ role $2 types namespace_init_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.te serefpolicy-3.7.19/policy/modules/apps/namespace.te
+--- nsaserefpolicy/policy/modules/apps/namespace.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/namespace.te 2011-01-14 14:26:59.318042402 +0100
+@@ -0,0 +1,38 @@
++policy_module(namespace,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type namespace_init_t;
++type namespace_init_exec_t;
++init_system_domain(namespace_init_t, namespace_init_exec_t)
++role system_r types namespace_init_t;
++
++permissive namespace_init_t;
++
++########################################
++#
++# namespace_init local policy
++#
++
++allow namespace_init_t self:capability dac_override;
++
++allow namespace_init_t self:fifo_file manage_fifo_file_perms;
++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(namespace_init_t)
++
++domain_use_interactive_fds(namespace_init_t)
++
++files_read_etc_files(namespace_init_t)
++files_polyinstantiate_all(namespace_init_t)
++
++miscfiles_read_localization(namespace_init_t)
++
++userdom_manage_user_home_content_dirs(namespace_init_t)
++userdom_manage_user_home_content_files(namespace_init_t)
++userdom_relabelto_user_home_dirs(namespace_init_t)
++userdom_relabelto_user_home_files(namespace_init_t)
++userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.19/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.fc 2010-05-28 09:41:59.992610642 +0200
@@ -7895,6 +7996,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.7.19/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/screen.fc 2011-01-14 14:38:24.501042642 +0100
+@@ -2,6 +2,7 @@
+ # /home
+ #
+ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
+ #
+ # /usr
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.19/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/screen.if 2011-01-14 14:39:47.869062903 +0100
+@@ -64,6 +64,9 @@
+ files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
++ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
++ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 09:42:00.006611051 +0200
@@ -8773,7 +8898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.19/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2010-09-09 10:27:11.540085109 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/vmware.te 2011-01-14 14:42:02.815042356 +0100
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -8825,7 +8950,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
-@@ -151,6 +166,10 @@
+@@ -146,11 +161,19 @@
+ netutils_domtrans_ping(vmware_host_t)
+
+ optional_policy(`
++ samba_read_config(vmware_host_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+
')
optional_policy(`
@@ -8995,7 +9129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-12-09 13:03:34.785041435 +0100
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2011-01-14 14:27:46.058042202 +0100
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -9039,7 +9173,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -105,6 +118,8 @@
+@@ -79,8 +92,6 @@
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+-
+ /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -105,6 +116,8 @@
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -9048,7 +9191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /lib
#
-@@ -147,12 +162,16 @@
+@@ -147,12 +160,16 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -9065,7 +9208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -189,7 +208,8 @@
+@@ -189,7 +206,8 @@
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -9075,7 +9218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -216,11 +236,17 @@
+@@ -216,11 +234,17 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -9093,7 +9236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +266,7 @@
+@@ -240,6 +264,7 @@
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9101,7 +9244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +324,7 @@
+@@ -297,6 +322,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -9109,7 +9252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -305,6 +333,7 @@
+@@ -305,6 +331,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -9117,7 +9260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -331,3 +360,24 @@
+@@ -331,3 +358,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -9826,7 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.19/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-05-28 09:42:00.025610713 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2011-01-14 14:56:43.663041883 +0100
@@ -611,7 +611,7 @@
########################################
@@ -9883,32 +10026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1422,6 +1438,24 @@
-
- ########################################
- ## <summary>
-+## Polyinstatiated access to domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`domain_poly',`
-+ gen_require(`
-+ attribute polydomain;
-+ ')
-+
-+ typeattribute $1 polydomain;
-+')
-+
-+########################################
-+## <summary>
- ## Unconfined access to domains.
- ## </summary>
- ## <param name="domain">
-@@ -1445,3 +1479,22 @@
+@@ -1445,3 +1461,22 @@
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -9933,7 +10051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-06-21 10:20:35.057073094 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2011-01-14 14:56:31.997041208 +0100
@@ -5,6 +5,21 @@
#
# Declarations
@@ -9956,16 +10074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Mark process types as domains
attribute domain;
-@@ -15,6 +30,8 @@
- # Domains that are unconfined
- attribute unconfined_domain_type;
-
-+attribute polydomain;
-+
- # Domains that can mmap low memory.
- attribute mmap_low_domain_type;
- neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,14 +97,17 @@
+@@ -80,14 +95,17 @@
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -9984,7 +10093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -97,6 +117,13 @@
+@@ -97,6 +115,13 @@
# list the root directory
files_list_root(domain)
@@ -9998,7 +10107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -106,8 +133,13 @@
+@@ -106,8 +131,13 @@
')
optional_policy(`
@@ -10012,7 +10121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
')
optional_policy(`
-@@ -118,6 +150,7 @@
+@@ -118,6 +148,7 @@
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -10020,7 +10129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
')
########################################
-@@ -136,6 +169,8 @@
+@@ -136,6 +167,8 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -10029,7 +10138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +188,79 @@
+@@ -153,3 +186,79 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -11871,7 +11980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.19/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2010-08-10 16:16:53.228335467 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.te 2011-01-14 11:10:52.101041649 +0100
@@ -53,6 +53,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -11901,6 +12010,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
files_mountpoint(removable_t)
#
+@@ -262,6 +270,7 @@
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++#genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-28 09:42:00.038610838 +0200
@@ -13029,7 +13146,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+kernel_read_fs_sysctls(sysadm_t)
+modutils_read_module_deps(sysadm_t)
+miscfiles_read_hwdata(sysadm_t)
-Binary files nsaserefpolicy/policy/modules/roles/.sysadm.te.swp and serefpolicy-3.7.19/policy/modules/roles/.sysadm.te.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.fc 2010-05-28 09:42:00.047610527 +0200
@@ -13756,7 +13872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-10-05 16:53:14.162651746 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-01-14 14:20:39.378128074 +0100
@@ -0,0 +1,453 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -13789,7 +13905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+## <desc>
+## <p>
-+## Ignore wine mmap_zero errors
++## Ignore unconfined mmap_zero errors
+## </p>
+## </desc>
+gen_tunable(unconfined_mmap_zero_ignore, false)
@@ -18578,7 +18694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.19/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2010-05-28 09:42:00.077610724 +0200
++++ serefpolicy-3.7.19/policy/modules/services/chronyd.te 2011-01-14 14:47:12.321041202 +0100
@@ -16,6 +16,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
@@ -18608,16 +18724,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -51,7 +59,9 @@
+@@ -51,7 +59,13 @@
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
+
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -64,6 +78,8 @@
+
+ miscfiles_read_localization(chronyd_t)
+
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/clamav.if 2010-10-18 15:38:09.251650866 +0200
@@ -22688,7 +22817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-12-15 15:26:48.255042227 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-01-14 14:46:52.457041882 +0100
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -22882,7 +23011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +313,24 @@
+@@ -263,15 +313,30 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -22906,6 +23035,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++')
++
++optional_policy(`
++ # Handle sieve scripts
++ allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
++ sendmail_domtrans(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.7.19/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 2010-04-13 20:44:37.000000000 +0200
@@ -36598,7 +36733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-04 16:02:58.400042759 +0100
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-14 14:36:33.523041523 +0100
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -36616,7 +36751,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,14 +96,11 @@
+@@ -79,6 +78,7 @@
+ typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+ files_type(ssh_home_t)
+ userdom_user_home_content(ssh_home_t)
++files_poly_parent(ssh_home_t)
+
+ ##############################
+ #
+@@ -97,14 +97,11 @@
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -36633,7 +36776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -114,6 +110,7 @@
+@@ -114,6 +111,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -36641,7 +36784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +122,10 @@
+@@ -125,9 +123,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -36655,7 +36798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +137,8 @@
+@@ -139,6 +138,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -36664,7 +36807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +170,10 @@
+@@ -170,8 +171,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -36676,7 +36819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -217,6 +219,9 @@
+@@ -217,6 +220,9 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -36686,7 +36829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,36 +287,39 @@
+@@ -282,36 +288,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -36735,7 +36878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +327,27 @@
+@@ -319,10 +328,27 @@
')
optional_policy(`
@@ -36763,7 +36906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +358,18 @@
+@@ -333,10 +359,18 @@
')
optional_policy(`
@@ -39980,7 +40123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-12-06 18:48:03.147042522 +0100
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-01-14 14:33:19.234041121 +0100
@@ -41,7 +41,6 @@
## </param>
#
@@ -39989,16 +40132,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for encrypted homedir
-@@ -94,6 +93,8 @@
+@@ -91,9 +90,12 @@
+ interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t, auth_cache_t;
++ attribute polydomain;
')
domain_type($1)
-+ domain_poly($1)
++ typeattribute $1 polydomain;
+
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,6 +108,7 @@
+@@ -107,6 +109,7 @@
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
@@ -40006,7 +40153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +143,7 @@
+@@ -141,6 +144,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -40014,10 +40161,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +154,45 @@
+@@ -151,8 +155,43 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
+- tunable_policy(`allow_polyinstantiation',`
+- files_polyinstantiate_all($1)
+ userdom_set_rlimitnh($1)
+ userdom_stream_connect($1)
+ userdom_read_user_home_content_symlinks($1)
@@ -40055,12 +40204,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
-+ ')
-+
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
')
-@@ -365,13 +407,21 @@
+ ')
+
+@@ -365,13 +404,21 @@
')
optional_policy(`
@@ -40083,7 +40230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +468,7 @@
+@@ -418,6 +465,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -40091,7 +40238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +745,7 @@
+@@ -694,7 +742,7 @@
')
files_search_etc($1)
@@ -40100,7 +40247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -1500,6 +1551,8 @@
+@@ -1500,6 +1548,8 @@
#
interface(`auth_use_nsswitch',`
@@ -40109,7 +40256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1584,15 @@
+@@ -1531,7 +1581,15 @@
')
optional_policy(`
@@ -40128,8 +40275,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-11-02 16:58:56.412650880 +0100
-@@ -6,6 +6,13 @@
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2011-01-14 14:32:33.697042630 +0100
+@@ -6,9 +6,17 @@
# Declarations
#
@@ -40143,7 +40290,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
-@@ -84,7 +91,7 @@
++attribute polydomain;
+
+ type auth_cache_t;
+ logging_log_file(auth_cache_t)
+@@ -84,7 +92,7 @@
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
@@ -40152,6 +40303,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
+@@ -395,3 +403,13 @@
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+ ')
++
++tunable_policy(`allow_polyinstantiation',`
++ files_polyinstantiate_all(polydomain)
++')
++
++optional_policy(`
++ tunable_policy(`allow_polyinstantiation',`
++ namespace_init_domtrans(polydomain)
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.19/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/daemontools.if 2010-05-28 09:42:00.211610814 +0200
@@ -40454,7 +40619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-10-26 10:34:57.510650962 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2011-01-14 14:25:37.423041886 +0100
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -40589,7 +40754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -781,23 +832,45 @@
+@@ -781,19 +832,41 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -40612,11 +40777,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -40629,16 +40794,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
+ ')
+
+ ########################################
@@ -849,8 +922,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
@@ -40650,7 +40811,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1335,6 +1410,27 @@
+@@ -1192,6 +1267,24 @@
+ allow $1 initrc_t:process sigchld;
+ ')
+
++#######################################
++## <summary>
++## Connect to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_stream_connect',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:unix_stream_socket connectto;
++')
++
+ ########################################
+ ## <summary>
+ ## Send generic signals to init scripts.
+@@ -1335,6 +1428,27 @@
allow $1 initrc_t:dbus send_msg;
')
@@ -40678,7 +40864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
########################################
## <summary>
## Send and receive messages from
-@@ -1637,7 +1733,7 @@
+@@ -1637,7 +1751,7 @@
type initrc_var_run_t;
')
@@ -40687,7 +40873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1808,92 @@
+@@ -1712,3 +1826,92 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -44997,7 +45183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2010-07-19 15:51:48.410151770 +0200
++++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-01-14 14:25:52.533041029 +0100
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -45014,7 +45200,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
-@@ -211,6 +213,10 @@
+@@ -138,6 +140,7 @@
+ init_read_utmp(udev_t)
+ init_dontaudit_write_utmp(udev_t)
+ init_getattr_initctl(udev_t)
++init_stream_connect(udev_t)
+
+ logging_search_logs(udev_t)
+ logging_send_syslog_msg(udev_t)
+@@ -211,6 +214,10 @@
')
optional_policy(`
@@ -45025,7 +45219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
consoletype_exec(udev_t)
')
-@@ -254,6 +260,10 @@
+@@ -254,6 +261,10 @@
')
optional_policy(`
@@ -45036,7 +45230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -268,6 +278,10 @@
+@@ -268,6 +279,10 @@
')
optional_policy(`
@@ -48126,7 +48320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-11-02 17:26:58.264649340 +0100
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-14 14:36:19.658040682 +0100
@@ -29,18 +29,18 @@
## <desc>
@@ -48182,7 +48376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -85,7 +95,7 @@
+@@ -85,10 +95,11 @@
files_type(user_devpts_t)
ubac_constrained(user_devpts_t)
@@ -48191,7 +48385,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
-@@ -97,3 +107,41 @@
++files_poly_parent(user_tmp_t)
+
+ type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+ files_tmpfs_file(user_tmpfs_t)
+@@ -97,3 +108,41 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8baf4da..ff2dab0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,11 @@ exit 0
%endif
%changelog
+* Fri Jan 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-82
+- Add namespace policy
+- Update for screen policy to handle pipe in homedir
+- Fixes for polyinstatiated homedir
+
* Fri Jan 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-81
- Allow s-c-samba to read usr files
- Make kernel_t domain MLS trusted for lowering the level of files
More information about the scm-commits
mailing list