rpms/selinux-policy/devel policy-20070703.patch, 1.15, 1.16 selinux-policy.spec, 1.478, 1.479
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jul 23 20:34:55 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10135
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-5
- Add ntpd_key_t to handle secret data
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20070703.patch 23 Jul 2007 16:00:09 -0000 1.15
+++ policy-20070703.patch 23 Jul 2007 20:34:22 -0000 1.16
@@ -1260,7 +1260,7 @@
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 11:05:01.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 14:19:32.000000000 -0400
@@ -33,6 +33,51 @@
## </param>
#
@@ -1417,9 +1417,14 @@
## manage gnome homedir content (.config)
## </summary>
## <param name="userdomain_prefix">
-@@ -193,3 +284,23 @@
- allow $2 $1_gnome_home_t:dir manage_dir_perms;
- allow $2 $1_gnome_home_t:file manage_file_perms;
+@@ -190,6 +281,26 @@
+ type $1_gnome_home_t;
+ ')
+
+- allow $2 $1_gnome_home_t:dir manage_dir_perms;
+- allow $2 $1_gnome_home_t:file manage_file_perms;
++ manage_dirs_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
++ manage_files_pattern($2, $1_gnome_home_t, $1_gnome_home_t)
')
+
+########################################
@@ -1455,7 +1460,7 @@
corecmd_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.3/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/java.if 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/java.if 2007-07-23 16:11:58.000000000 -0400
@@ -32,7 +32,7 @@
## </summary>
## </param>
@@ -1475,7 +1480,7 @@
allow $1_javaplugin_t $2:fd use;
# Unrestricted inheritance from the caller.
allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-@@ -168,6 +167,55 @@
+@@ -168,6 +167,53 @@
optional_policy(`
xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
')
@@ -1512,7 +1517,6 @@
+template(`java_per_role_template',`
+ gen_require(`
+ type java_exec_t;
-+ attribute $1_usertype;
+ ')
+
+ type $1_java_t;
@@ -1520,7 +1524,6 @@
+ domain_entry_file($1_java_t,java_exec_t)
+ role $3 types $1_java_t;
+
-+ typeattribute $1_java_t $1_usertype;
+ allow $1_java_t self:process { execheap execmem };
+
+ domtrans_pattern($2, java_exec_t, $1_java_t)
@@ -1531,7 +1534,7 @@
')
########################################
-@@ -221,3 +269,66 @@
+@@ -221,3 +267,66 @@
corecmd_search_bin($1)
domtrans_pattern($1, java_exec_t, java_t)
')
@@ -1623,8 +1626,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.3/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mono.if 2007-07-17 15:46:25.000000000 -0400
-@@ -18,3 +18,100 @@
++++ serefpolicy-3.0.3/policy/modules/apps/mono.if 2007-07-23 16:14:31.000000000 -0400
+@@ -18,3 +18,98 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
@@ -1708,7 +1711,6 @@
+template(`mono_per_role_template',`
+ gen_require(`
+ type mono_exec_t;
-+ attribute $1_usertype;
+ ')
+
+ type $1_mono_t;
@@ -1716,7 +1718,6 @@
+ domain_entry_file($1_mono_t,mono_exec_t)
+ role $3 types $1_mono_t;
+
-+ typeattribute $1_mono_t $1_usertype;
+ allow $1_mono_t self:process { execheap execmem };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
@@ -1738,7 +1739,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-20 17:26:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-23 16:25:26.000000000 -0400
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -1833,7 +1834,7 @@
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -213,133 +244,6 @@
+@@ -213,131 +244,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -1962,12 +1963,12 @@
- userdom_dontaudit_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_dontaudit_manage_user_home_content_dirs($1,$1_mozilla_t)
-
-- ')
--
++ optional_policy(`
++ alsa_read_rw_config($1_mozilla_t)
+ ')
+
optional_policy(`
- apache_read_user_scripts($1,$1_mozilla_t)
- apache_read_user_content($1,$1_mozilla_t)
-@@ -352,21 +256,23 @@
+@@ -352,21 +260,28 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -1981,11 +1982,16 @@
- dbus_send_user_bus($1,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_send_user_bus($1,$1_mozilla_t)
++ ')
++
++ optional_policy(`
++ gnome_exec_gconf($1_mozilla_t)
++ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
- gnome_stream_connect_gconf_template($1,$1_mozilla_t)
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
+ gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
optional_policy(`
@@ -1994,7 +2000,7 @@
')
optional_policy(`
-@@ -386,25 +292,6 @@
+@@ -386,25 +301,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -2020,7 +2026,7 @@
')
########################################
-@@ -577,3 +464,27 @@
+@@ -577,3 +473,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -3175,7 +3181,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/apache.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/apache.te 2007-07-23 16:18:28.000000000 -0400
@@ -30,6 +30,13 @@
## <desc>
@@ -3499,7 +3505,7 @@
# httpd_rotatelogs local policy
#
-@@ -728,3 +892,24 @@
+@@ -728,3 +892,26 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3520,9 +3526,11 @@
+')
+
+
-+tunable_policy(`allow_httpd_dbus_avahi',`
-+ avahi_dbus_chat(httpd_t)
++optional_policy(`
+ dbus_system_bus_client_template(httpd,httpd_t)
++ tunable_policy(`allow_httpd_dbus_avahi',`
++ avahi_dbus_chat(httpd_t)
++ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.3/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-30 11:47:29.000000000 -0400
@@ -5610,10 +5618,31 @@
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.3/policy/modules/services/ntp.fc
+--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/services/ntp.fc 2007-07-23 13:11:18.000000000 -0400
+@@ -17,3 +17,7 @@
+ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+ /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
++
++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.3/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/services/ntp.te 2007-07-19 10:44:14.000000000 -0400
-@@ -36,6 +36,7 @@
++++ serefpolicy-3.0.3/policy/modules/services/ntp.te 2007-07-23 13:36:54.000000000 -0400
+@@ -25,6 +25,9 @@
+ type ntpdate_exec_t;
+ init_system_domain(ntpd_t,ntpdate_exec_t)
+
++type ntpd_key_t;
++files_type(ntpd_key_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
@@ -5621,7 +5650,16 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -82,6 +83,8 @@
+@@ -49,6 +53,8 @@
+ manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
+ logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
+
++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
++
+ # for some reason it creates a file in /tmp
+ manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+ manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
+@@ -82,6 +88,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
@@ -5630,7 +5668,7 @@
auth_use_nsswitch(ntpd_t)
-@@ -107,6 +110,8 @@
+@@ -107,6 +115,8 @@
sysnet_read_config(ntpd_t)
@@ -5639,7 +5677,7 @@
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +131,14 @@
+@@ -126,9 +136,14 @@
')
optional_policy(`
@@ -8886,7 +8924,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/logging.te 2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/logging.te 2007-07-23 15:43:28.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -8989,7 +9027,7 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
-+allow syslogd_t syslog_conf_t:file read;
++allow syslogd_t syslog_conf_t:file r_file_perms;
+
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -10369,178 +10407,33 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 11:53:11.000000000 -0400
-@@ -29,90 +29,99 @@
- ')
++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 16:30:24.000000000 -0400
+@@ -62,6 +62,10 @@
- attribute $1_file_type;
-+ attribute $1_usertype;
+ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-- type $1_t, userdomain;
-+ type $1_t, userdomain, $1_usertype;
- domain_type($1_t)
-- corecmd_shell_entry_type($1_t)
-- corecmd_bin_entry_type($1_t)
-+ corecmd_shell_entry_type($1_usertype)
-+ corecmd_bin_entry_type($1_usertype)
- domain_user_exemption_target($1_t)
- role $1_r types $1_t;
- allow system_r $1_r;
-
- type $1_devpts_t;
-- term_user_pty($1_t,$1_devpts_t)
-+ term_user_pty($1_usertype,$1_devpts_t)
- files_type($1_devpts_t)
-
- type $1_tty_device_t;
-- term_user_tty($1_t,$1_tty_device_t)
-+ term_user_tty($1_usertype,$1_tty_device_t)
-
-- allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
-- allow $1_t self:fd use;
-- allow $1_t self:fifo_file rw_fifo_file_perms;
-- allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
-- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
-- allow $1_t self:shm create_shm_perms;
-- allow $1_t self:sem create_sem_perms;
-- allow $1_t self:msgq create_msgq_perms;
-- allow $1_t self:msg { send receive };
-- allow $1_t self:context contains;
-- dontaudit $1_t self:socket create;
--
-- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-- term_create_pty($1_t,$1_devpts_t)
--
-- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
--
-- kernel_read_kernel_sysctls($1_t)
-- kernel_dontaudit_list_unlabeled($1_t)
-- kernel_dontaudit_getattr_unlabeled_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
-- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
-- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
-+ allow $1_usertype self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession };
-+ allow $1_usertype self:fd use;
-+ allow $1_usertype self:fifo_file rw_fifo_file_perms;
-+ allow $1_usertype self:unix_dgram_socket { create_socket_perms sendto };
-+ allow $1_usertype self:unix_stream_socket { create_stream_socket_perms connectto };
-+ allow $1_usertype self:shm create_shm_perms;
-+ allow $1_usertype self:sem create_sem_perms;
-+ allow $1_usertype self:msgq create_msgq_perms;
-+ allow $1_usertype self:msg { send receive };
-+ allow $1_usertype self:context contains;
-+ dontaudit $1_usertype self:socket create;
-+
-+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-+ term_create_pty($1_usertype,$1_devpts_t)
-+
-+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+
-+ application_exec_all($1_usertype)
-+
-+ auth_use_nsswitch($1_usertype)
-+
-+ kernel_read_kernel_sysctls($1_usertype)
-+ kernel_dontaudit_list_unlabeled($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
-+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
-
- # When the user domain runs ps, there will be a number of access
- # denials when ps tries to search /proc. Do not audit these denials.
-- domain_dontaudit_read_all_domains_state($1_t)
-- domain_dontaudit_getattr_all_domains($1_t)
-- domain_dontaudit_getsession_all_domains($1_t)
--
-- files_read_etc_files($1_t)
-- files_read_etc_runtime_files($1_t)
-- files_read_usr_files($1_t)
-+ domain_dontaudit_read_all_domains_state($1_usertype)
-+ domain_dontaudit_getattr_all_domains($1_usertype)
-+ domain_dontaudit_getsession_all_domains($1_usertype)
-+
-+ files_read_etc_files($1_usertype)
-+ files_read_etc_runtime_files($1_usertype)
-+ files_read_usr_files($1_usertype)
- # Read directories and files with the readable_t type.
- # This type is a general type for "world"-readable files.
-- files_list_world_readable($1_t)
-- files_read_world_readable_files($1_t)
-- files_read_world_readable_symlinks($1_t)
-- files_read_world_readable_pipes($1_t)
-- files_read_world_readable_sockets($1_t)
-+ files_list_world_readable($1_usertype)
-+ files_read_world_readable_files($1_usertype)
-+ files_read_world_readable_symlinks($1_usertype)
-+ files_read_world_readable_pipes($1_usertype)
-+ files_read_world_readable_sockets($1_usertype)
- # old broswer_domain():
-- files_dontaudit_list_non_security($1_t)
-- files_dontaudit_getattr_non_security_files($1_t)
-- files_dontaudit_getattr_non_security_symlinks($1_t)
-- files_dontaudit_getattr_non_security_pipes($1_t)
-- files_dontaudit_getattr_non_security_sockets($1_t)
-- files_dontaudit_getattr_non_security_blk_files($1_t)
-- files_dontaudit_getattr_non_security_chr_files($1_t)
--
-- libs_use_ld_so($1_t)
-- libs_use_shared_libs($1_t)
-- libs_exec_ld_so($1_t)
-+ files_dontaudit_list_non_security($1_usertype)
-+ files_dontaudit_getattr_non_security_files($1_usertype)
-+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
-+ files_dontaudit_getattr_non_security_pipes($1_usertype)
-+ files_dontaudit_getattr_non_security_sockets($1_usertype)
-+ files_dontaudit_getattr_non_security_blk_files($1_usertype)
-+ files_dontaudit_getattr_non_security_chr_files($1_usertype)
-+
-+ libs_use_ld_so($1_usertype)
-+ libs_use_shared_libs($1_usertype)
-+ libs_exec_ld_so($1_usertype)
-
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
-+ miscfiles_read_localization($1_usertype)
-+ miscfiles_read_certs($1_usertype)
-
-- sysnet_read_config($1_t)
-+ sysnet_read_config($1_usertype)
-
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
-- allow $1_t self:process execmem;
-+ allow $1_usertype self:process execmem;
- ')
-
- tunable_policy(`allow_execmem && allow_execstack',`
++ application_exec_all($1_t)
++
++ auth_use_nsswitch($1_t)
++
+ kernel_read_kernel_sysctls($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+ kernel_dontaudit_getattr_unlabeled_files($1_t)
+@@ -114,6 +118,10 @@
# Allow making the stack executable via mprotect.
-- allow $1_t self:process execstack;
-+ allow $1_usertype self:process execstack;
-+ ')
+ allow $1_t self:process execstack;
+ ')
+
+ optional_policy(`
-+ ssh_rw_stream_sockets($1_usertype)
- ')
++ ssh_rw_stream_sockets($1_t)
++ ')
')
-@@ -174,43 +183,35 @@
- #
+ #######################################
+@@ -183,14 +191,6 @@
+ read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
+ files_list_home($1_t)
- # read-only home directory
-- allow $1_t $1_home_dir_t:dir list_dir_perms;
-- allow $1_t $1_home_t:dir list_dir_perms;
-- allow $1_t $1_home_t:file entrypoint;
-- read_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-- read_lnk_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-- read_fifo_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
-- files_list_home($1_t)
--
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
@@ -10548,263 +10441,45 @@
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-+ allow $1_usertype $1_home_dir_t:dir list_dir_perms;
-+ allow $1_usertype $1_home_t:dir list_dir_perms;
-+ allow $1_usertype $1_home_t:file entrypoint;
-+ read_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+ read_lnk_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+ read_fifo_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+ read_sock_files_pattern($1_usertype,{ $1_home_t $1_home_dir_t },$1_home_t)
-+ files_list_home($1_usertype)
-
- tunable_policy(`use_nfs_home_dirs',`
-- fs_list_nfs_dirs($1_t)
-- fs_read_nfs_files($1_t)
-- fs_read_nfs_symlinks($1_t)
-- fs_read_nfs_named_sockets($1_t)
-- fs_read_nfs_named_pipes($1_t)
-+ fs_list_nfs_dirs($1_usertype)
-+ fs_read_nfs_files($1_usertype)
-+ fs_read_nfs_symlinks($1_usertype)
-+ fs_read_nfs_named_sockets($1_usertype)
-+ fs_read_nfs_named_pipes($1_usertype)
- ',`
-- fs_dontaudit_read_nfs_dirs($1_t)
-- fs_dontaudit_read_nfs_files($1_t)
-+ fs_dontaudit_read_nfs_dirs($1_usertype)
-+ fs_dontaudit_read_nfs_files($1_usertype)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_list_cifs_dirs($1_t)
-- fs_read_cifs_files($1_t)
-- fs_read_cifs_symlinks($1_t)
-- fs_read_cifs_named_sockets($1_t)
-- fs_read_cifs_named_pipes($1_t)
-+ fs_list_cifs_dirs($1_usertype)
-+ fs_read_cifs_files($1_usertype)
-+ fs_read_cifs_symlinks($1_usertype)
-+ fs_read_cifs_named_sockets($1_usertype)
-+ fs_read_cifs_named_pipes($1_usertype)
- ',`
-- fs_dontaudit_list_cifs_dirs($1_t)
-- fs_dontaudit_read_cifs_files($1_t)
-+ fs_dontaudit_list_cifs_dirs($1_usertype)
-+ fs_dontaudit_read_cifs_files($1_usertype)
- ')
- ')
-
-@@ -269,43 +270,43 @@
- #
-
- # full control of the home directory
-- allow $1_t $1_home_t:file entrypoint;
-- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t)
-- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-- files_list_home($1_t)
-+ allow $1_usertype $1_home_t:file entrypoint;
-+ manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t)
-+ filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-+ files_list_home($1_usertype)
-
- # cjp: this should probably be removed:
-- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-+ allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
-
- tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs($1_t)
-- fs_manage_nfs_files($1_t)
-- fs_manage_nfs_symlinks($1_t)
-- fs_manage_nfs_named_sockets($1_t)
-- fs_manage_nfs_named_pipes($1_t)
-+ fs_manage_nfs_dirs($1_usertype)
-+ fs_manage_nfs_files($1_usertype)
-+ fs_manage_nfs_symlinks($1_usertype)
-+ fs_manage_nfs_named_sockets($1_usertype)
-+ fs_manage_nfs_named_pipes($1_usertype)
- ',`
-- fs_dontaudit_manage_nfs_dirs($1_t)
-- fs_dontaudit_manage_nfs_files($1_t)
-+ fs_dontaudit_manage_nfs_dirs($1_usertype)
-+ fs_dontaudit_manage_nfs_files($1_usertype)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs($1_t)
-- fs_manage_cifs_files($1_t)
-- fs_manage_cifs_symlinks($1_t)
-- fs_manage_cifs_named_sockets($1_t)
-- fs_manage_cifs_named_pipes($1_t)
-+ fs_manage_cifs_dirs($1_usertype)
-+ fs_manage_cifs_files($1_usertype)
-+ fs_manage_cifs_symlinks($1_usertype)
-+ fs_manage_cifs_named_sockets($1_usertype)
-+ fs_manage_cifs_named_pipes($1_usertype)
- ',`
-- fs_dontaudit_manage_cifs_dirs($1_t)
-- fs_dontaudit_manage_cifs_files($1_t)
-+ fs_dontaudit_manage_cifs_dirs($1_usertype)
-+ fs_dontaudit_manage_cifs_files($1_usertype)
- ')
- ')
-
-@@ -323,14 +324,14 @@
- ## <rolebase/>
- #
- template(`userdom_exec_home_template',`
-- can_exec($1_t,$1_home_t)
-+ can_exec($1_usertype,$1_home_t)
-
+-
tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1_t)
-+ fs_exec_nfs_files($1_usertype)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1_t)
-+ fs_exec_cifs_files($1_usertype)
- ')
- ')
-
-@@ -348,7 +349,7 @@
- ## <rolebase/>
- #
- template(`userdom_poly_home_template',`
-- type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
-+ type_member $1_usertype $1_home_dir_t:dir $1_home_dir_t;
- files_poly($1_home_dir_t)
- files_poly_parent($1_home_dir_t)
- files_poly_parent($1_home_t)
-@@ -382,12 +383,12 @@
- type $1_tmp_t, $1_file_type;
- files_tmp_file($1_tmp_t)
-
-- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t)
-- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
-+ manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+ manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+ manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+ manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+ manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
-+ files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file })
- ')
-
- #######################################
-@@ -403,7 +404,7 @@
- ## <rolebase/>
- #
- template(`userdom_exec_tmp_template',`
-- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
-+ exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t)
- ')
-
- #######################################
-@@ -419,7 +420,7 @@
+ fs_list_nfs_dirs($1_t)
+ fs_read_nfs_files($1_t)
+@@ -517,10 +517,6 @@
## <rolebase/>
#
- template(`userdom_poly_tmp_template',`
-- files_poly_member_tmp($1_t,tmp_t)
-+ files_poly_member_tmp($1_usertype,tmp_t)
- ')
-
- #######################################
-@@ -452,12 +453,12 @@
- type $1_tmpfs_t, $1_file_type;
- files_tmpfs_file($1_tmpfs_t)
-
-- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-- manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-- manage_lnk_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-- manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-- manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
-- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ manage_dirs_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+ manage_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+ manage_lnk_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+ manage_sock_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+ manage_fifo_files_pattern($1_usertype,$1_tmpfs_t,$1_tmpfs_t)
-+ fs_tmpfs_filetrans($1_usertype,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
- ')
-
- #######################################
-@@ -518,10 +519,10 @@
- #
template(`userdom_exec_generic_pgms_template',`
- gen_require(`
+- gen_require(`
- type $1_t;
-+ attribute $1_usertype;
- ')
-
-- corecmd_exec_bin($1_t)
-+ corecmd_exec_bin($1_usertype)
+- ')
+-
+ corecmd_exec_bin($1_t)
')
- #######################################
-@@ -539,22 +540,28 @@
+@@ -538,9 +534,6 @@
+ ## <rolebase/>
#
template(`userdom_basic_networking_template',`
- gen_require(`
+- gen_require(`
- type $1_t;
-+ attribute $1_usertype;
- ')
+- ')
-- allow $1_t self:tcp_socket create_stream_socket_perms;
-- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
-+ allow $1_usertype self:udp_socket create_socket_perms;
-+
-+ corenet_all_recvfrom_unlabeled($1_usertype)
-+ corenet_all_recvfrom_netlabel($1_usertype)
-+ corenet_tcp_sendrecv_all_if($1_usertype)
-+ corenet_udp_sendrecv_all_if($1_usertype)
-+ corenet_tcp_sendrecv_all_nodes($1_usertype)
-+ corenet_udp_sendrecv_all_nodes($1_usertype)
-+ corenet_tcp_sendrecv_all_ports($1_usertype)
-+ corenet_udp_sendrecv_all_ports($1_usertype)
-+ corenet_tcp_connect_all_ports($1_usertype)
-+ corenet_sendrecv_all_client_packets($1_usertype)
-
-- corenet_all_recvfrom_unlabeled($1_t)
-- corenet_all_recvfrom_netlabel($1_t)
-- corenet_tcp_sendrecv_all_if($1_t)
-- corenet_udp_sendrecv_all_if($1_t)
-- corenet_tcp_sendrecv_all_nodes($1_t)
-- corenet_udp_sendrecv_all_nodes($1_t)
-- corenet_tcp_sendrecv_all_ports($1_t)
-- corenet_udp_sendrecv_all_ports($1_t)
-- corenet_tcp_connect_all_ports($1_t)
-- corenet_sendrecv_all_client_packets($1_t)
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+@@ -555,6 +548,12 @@
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_all_client_packets($1_t)
++
+ ifdef(`enable_mls',`
+ # netlabel/CIPSO labeled networking
-+ corenet_tcp_recv_netlabel($1_usertype)
-+ corenet_udp_recv_netlabel($1_usertype)
++ corenet_tcp_recv_netlabel($1_t)
++ corenet_udp_recv_netlabel($1_t)
+ ')
')
#######################################
-@@ -571,32 +578,29 @@
+@@ -571,32 +570,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -10835,30 +10510,30 @@
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
- ')
-+ dev_rw_xserver_misc($1_usertype)
-+ dev_rw_power_management($1_usertype)
-+ dev_read_input($1_usertype)
-+ dev_read_misc($1_usertype)
-+ dev_write_misc($1_usertype)
++ dev_rw_xserver_misc($1_t)
++ dev_rw_power_management($1_t)
++ dev_read_input($1_t)
++ dev_read_misc($1_t)
++ dev_write_misc($1_t)
+ # open office is looking for the following
-+ dev_getattr_agp_dev($1_usertype)
-+ dev_dontaudit_rw_dri($1_usertype)
++ dev_getattr_agp_dev($1_t)
++ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
-+ dev_rw_usbfs($1_usertype)
-+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
-+ xserver_xsession_entry_type($1_usertype)
-+ xserver_dontaudit_write_log($1_usertype)
-+ xserver_stream_connect_xdm($1_usertype)
++ dev_rw_usbfs($1_t)
++ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
++ xserver_xsession_entry_type($1_t)
++ xserver_dontaudit_write_log($1_t)
++ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
-+ xserver_read_xdm_pid($1_usertype)
++ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
-+ xserver_create_xdm_tmp_sockets($1_usertype)
++ xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
-+ xserver_manage_xdm_tmp_files($1_usertype)
++ xserver_manage_xdm_tmp_files($1_t)
')
#######################################
-@@ -672,281 +676,335 @@
+@@ -672,67 +668,39 @@
attribute unpriv_userdomain;
')
@@ -10898,95 +10573,62 @@
- allow $1_t self:context contains;
-
# evolution and gnome-session try to create a netlink socket
-- dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-+ dontaudit $1_usertype self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-+ dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-- allow $1_t unpriv_userdomain:fd use;
-+ allow $1_usertype unpriv_userdomain:fd use;
+ allow $1_t unpriv_userdomain:fd use;
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_net_sysctls($1_t)
# Very permissive allowing every domain to see every type:
-- kernel_get_sysvipc_info($1_t)
+ kernel_get_sysvipc_info($1_t)
- # Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corenet_udp_bind_all_nodes($1_t)
-- corenet_udp_bind_generic_port($1_t)
-+ kernel_get_sysvipc_info($1_usertype)
+
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_udp_bind_generic_port($1_t)
- dev_read_sysfs($1_t)
-- dev_read_rand($1_t)
+ dev_read_rand($1_t)
- dev_read_urand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
-+ corenet_udp_bind_all_nodes($1_usertype)
-+ corenet_udp_bind_generic_port($1_usertype)
+ dev_write_sound($1_t)
+ dev_read_sound($1_t)
+ dev_read_sound_mixer($1_t)
+ dev_write_sound_mixer($1_t)
- domain_use_interactive_fds($1_t)
- # Command completion can fire hundreds of denials
- domain_dontaudit_exec_all_entry_files($1_t)
-+ dev_read_rand($1_usertype)
-+ dev_write_sound($1_usertype)
-+ dev_read_sound($1_usertype)
-+ dev_read_sound_mixer($1_usertype)
-+ dev_write_sound_mixer($1_usertype)
-
-- files_exec_etc_files($1_t)
-- files_search_locks($1_t)
-+ files_exec_etc_files($1_usertype)
-+ files_search_locks($1_usertype)
+-
+ files_exec_etc_files($1_t)
+ files_search_locks($1_t)
# Check to see if cdrom is mounted
-- files_search_mnt($1_t)
-+ files_search_mnt($1_usertype)
- # cjp: perhaps should cut back on file reads:
-- files_read_var_files($1_t)
-- files_read_var_symlinks($1_t)
-- files_read_generic_spool($1_t)
-- files_read_var_lib_files($1_t)
-+ files_read_var_files($1_usertype)
-+ files_read_var_symlinks($1_usertype)
-+ files_read_generic_spool($1_usertype)
-+ files_read_var_lib_files($1_usertype)
+@@ -745,12 +713,6 @@
# Stat lost+found.
-- files_getattr_lost_found_dirs($1_t)
--
+ files_getattr_lost_found_dirs($1_t)
+
- fs_get_all_fs_quotas($1_t)
- fs_getattr_all_fs($1_t)
- fs_getattr_all_dirs($1_t)
- fs_search_auto_mountpoints($1_t)
- fs_list_inotifyfs($1_t)
-+ files_getattr_lost_found_dirs($1_usertype)
-
+-
# cjp: some of this probably can be removed
-- selinux_get_fs_mount($1_t)
-- selinux_validate_context($1_t)
-- selinux_compute_access_vector($1_t)
-- selinux_compute_create_context($1_t)
-- selinux_compute_relabel_context($1_t)
-- selinux_compute_user_contexts($1_t)
-+ selinux_get_fs_mount($1_usertype)
-+ selinux_validate_context($1_usertype)
-+ selinux_compute_access_vector($1_usertype)
-+ selinux_compute_create_context($1_usertype)
-+ selinux_compute_relabel_context($1_usertype)
-+ selinux_compute_user_contexts($1_usertype)
+ selinux_get_fs_mount($1_t)
+ selinux_validate_context($1_t)
+@@ -763,31 +725,16 @@
+ storage_getattr_fixed_disk_dev($1_t)
- # for eject
-- storage_getattr_fixed_disk_dev($1_t)
--
-- auth_read_login_records($1_t)
+ auth_read_login_records($1_t)
- auth_dontaudit_write_login_records($1_t)
-- auth_search_pam_console_data($1_t)
-- auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-- auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
--
-- init_read_utmp($1_t)
+ auth_search_pam_console_data($1_t)
+ auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ auth_run_upd_passwd($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ auth_read_key($1_t)
+
+ init_read_utmp($1_t)
- # The library functions always try to open read-write first,
- # then fall back to read-only if it fails.
- init_dontaudit_write_utmp($1_t)
@@ -10995,80 +10637,41 @@
- init_dontaudit_use_script_fds($1_t)
-
- libs_exec_lib_files($1_t)
-+ storage_getattr_fixed_disk_dev($1_usertype)
-
+-
- logging_dontaudit_getattr_all_logs($1_t)
-
- miscfiles_read_man_pages($1_t)
- # for running TeX programs
- miscfiles_read_tetex_data($1_t)
- miscfiles_exec_tetex_data($1_t)
--
-- seutil_read_file_contexts($1_t)
-- seutil_read_default_contexts($1_t)
+
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
- seutil_read_config($1_t)
-- seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-- seutil_exec_checkpolicy($1_t)
-- seutil_exec_setfiles($1_t)
-+ auth_read_login_records($1_usertype)
-+ auth_search_pam_console_data($1_usertype)
-+ auth_run_pam($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ auth_run_utempter($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ auth_run_upd_passwd($1_usertype,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ auth_read_key($1_usertype)
-+
-+ init_read_utmp($1_usertype)
-+
-+ seutil_read_file_contexts($1_usertype)
-+ seutil_read_default_contexts($1_usertype)
-+ seutil_run_newrole($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t })
-+ seutil_exec_checkpolicy($1_usertype)
-+ seutil_exec_setfiles($1_usertype)
- # for when the network connection is killed
- # this is needed when a login role can change
- # to this one.
-- seutil_dontaudit_signal_newrole($1_t)
-+ seutil_dontaudit_signal_newrole($1_usertype)
-
- tunable_policy(`read_default_t',`
-- files_list_default($1_t)
-- files_read_default_files($1_t)
-- files_read_default_symlinks($1_t)
-- files_read_default_sockets($1_t)
-- files_read_default_pipes($1_t)
+ seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ seutil_exec_checkpolicy($1_t)
+ seutil_exec_setfiles($1_t)
+@@ -802,19 +749,12 @@
+ files_read_default_symlinks($1_t)
+ files_read_default_sockets($1_t)
+ files_read_default_pipes($1_t)
- ',`
- files_dontaudit_list_default($1_t)
- files_dontaudit_read_default_files($1_t)
-+ files_list_default($1_usertype)
-+ files_read_default_files($1_usertype)
-+ files_read_default_symlinks($1_usertype)
-+ files_read_default_sockets($1_usertype)
-+ files_read_default_pipes($1_usertype)
')
tunable_policy(`user_direct_mouse',`
-- dev_read_mouse($1_t)
-- ')
--
-- tunable_policy(`user_ttyfile_stat',`
-- term_getattr_all_user_ttys($1_t)
-+ dev_read_mouse($1_usertype)
- ')
-
- optional_policy(`
-- alsa_read_rw_config($1_t)
-+ alsa_read_rw_config($1_usertype)
+ dev_read_mouse($1_t)
')
+- tunable_policy(`user_ttyfile_stat',`
+- term_getattr_all_user_ttys($1_t)
+- ')
+-
optional_policy(`
- # Allow graphical boot to check battery lifespan
-- apm_stream_connect($1_t)
-+ apm_stream_connect($1_usertype)
+ alsa_read_rw_config($1_t)
')
-
- optional_policy(`
-- canna_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
+@@ -829,34 +769,14 @@
')
optional_policy(`
@@ -11077,23 +10680,19 @@
- ')
-
- optional_policy(`
-- allow $1_t self:dbus send_msg;
-- dbus_system_bus_client_template($1,$1_t)
-+ allow $1_usertype self:dbus send_msg;
-+ dbus_system_bus_client_template($1,$1_usertype)
+ allow $1_t self:dbus send_msg;
+ dbus_system_bus_client_template($1,$1_t)
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ evolution_dbus_chat($1,$1_usertype)
-+ evolution_alarm_dbus_chat($1,$1_usertype)
- ')
-
-- optional_policy(`
-- evolution_dbus_chat($1,$1_t)
-- evolution_alarm_dbus_chat($1,$1_t)
- ')
-
- optional_policy(`
+ evolution_dbus_chat($1,$1_t)
+ evolution_alarm_dbus_chat($1,$1_t)
+ ')
+
+- optional_policy(`
- cups_dbus_chat_config($1_t)
- ')
-
@@ -11107,45 +10706,16 @@
')
optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
- ')
-
- optional_policy(`
-- inn_read_config($1_t)
-- inn_read_news_lib($1_t)
-- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
-- locate_read_lib_files($1_t)
-+ locate_read_lib_files($1_usertype)
- ')
-
- # for running depmod as part of the kernel packaging process
- optional_policy(`
-- modutils_read_module_config($1_t)
-+ modutils_read_module_config($1_usertype)
+@@ -884,17 +804,19 @@
')
optional_policy(`
-- mta_rw_spool($1_t)
+- nis_use_ypbind($1_t)
- ')
-
- optional_policy(`
-- nis_use_ypbind($1_t)
-+ mta_rw_spool($1_usertype)
- ')
-
- optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
-- mysql_stream_connect($1_t)
-+ mysql_stream_connect($1_usertype)
+ mysql_stream_connect($1_t)
')
')
@@ -11153,53 +10723,46 @@
- nscd_socket_use($1_t)
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
-+ postgresql_stream_connect($1_usertype)
++ postgresql_stream_connect($1_t)
+ ')
+ ')
+
+ tunable_policy(`user_ttyfile_stat',`
-+ term_getattr_all_user_ttys($1_usertype)
- ')
-
- optional_policy(`
- # to allow monitoring of pcmcia status
-- pcmcia_read_pid($1_t)
-+ pcmcia_read_pid($1_usertype)
++ term_getattr_all_user_ttys($1_t)
')
optional_policy(`
-- pcscd_read_pub_files($1_t)
-- pcscd_stream_connect($1_t)
-+ pcscd_read_pub_files($1_usertype)
-+ pcscd_stream_connect($1_usertype)
+@@ -908,39 +830,210 @@
')
optional_policy(`
- tunable_policy(`allow_user_postgresql_connect',`
- postgresql_stream_connect($1_t)
- ')
-+ resmgr_stream_connect($1_usertype)
++ resmgr_stream_connect($1_t)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpc_dontaudit_getattr_exports($1_usertype)
-+ rpc_manage_nfs_rw_content($1_usertype)
++ rpc_dontaudit_getattr_exports($1_t)
++ rpc_manage_nfs_rw_content($1_t)
')
optional_policy(`
- resmgr_stream_connect($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ samba_stream_connect_winbind($1_t)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ slrnpull_search_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ usernetctl_run($1_usertype,$1_r,{ $1_devpts_t $1_tty_device_t })
++ slrnpull_search_spool($1_t)
+ ')
+
+ optional_policy(`
+- rpm_read_db($1_t)
+- rpm_dontaudit_manage_db($1_t)
++ usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ ')
+')
+
@@ -11224,8 +10787,8 @@
+template(`userdom_privhome_user_template',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
- ')
-
++ ')
++
+ # privileged home directory writers
+ manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
@@ -11267,140 +10830,90 @@
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
-+ allow $1_usertype self:capability { setgid chown fowner };
-+ dontaudit $1_usertype self:capability { sys_nice fsetid };
++ allow $1_t self:capability { setgid chown fowner };
++ dontaudit $1_t self:capability { sys_nice fsetid };
+
-+ allow $1_usertype self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+ dontaudit $1_usertype self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
-+ allow $1_usertype self:context contains;
++ allow $1_t self:context contains;
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
-+ auth_dontaudit_write_login_records($1_usertype)
++ auth_dontaudit_write_login_records($1_t)
+
+ # Find CDROM devices:
-+ kernel_read_device_sysctls($1_usertype)
-+ kernel_read_network_state($1_usertype)
-+ kernel_read_net_sysctls($1_usertype)
-+ kernel_read_system_state($1_usertype)
++ kernel_read_device_sysctls($1_t)
++ kernel_read_network_state($1_t)
++ kernel_read_net_sysctls($1_t)
++ kernel_read_system_state($1_t)
+
-+ dev_read_sysfs($1_usertype)
-+ dev_read_urand($1_usertype)
++ dev_read_sysfs($1_t)
++ dev_read_urand($1_t)
+
+ domain_use_interactive_fds($1_t)
+ # Command completion can fire hundreds of denials
-+ domain_dontaudit_exec_all_entry_files($1_usertype)
++ domain_dontaudit_exec_all_entry_files($1_t)
+
+ # Stat lost+found.
-+ files_getattr_lost_found_dirs($1_usertype)
++ files_getattr_lost_found_dirs($1_t)
+
-+ fs_get_all_fs_quotas($1_usertype)
-+ fs_getattr_all_fs($1_usertype)
-+ fs_getattr_all_dirs($1_usertype)
-+ fs_search_auto_mountpoints($1_usertype)
-+ fs_list_inotifyfs($1_usertype)
++ fs_get_all_fs_quotas($1_t)
++ fs_getattr_all_fs($1_t)
++ fs_getattr_all_dirs($1_t)
++ fs_search_auto_mountpoints($1_t)
++ fs_list_inotifyfs($1_t)
+
+ # Stop warnings about access to /dev/console
-+ init_dontaudit_rw_utmp($1_usertype)
-+ init_dontaudit_use_fds($1_usertype)
-+ init_dontaudit_use_script_fds($1_usertype)
++ init_dontaudit_rw_utmp($1_t)
++ init_dontaudit_use_fds($1_t)
++ init_dontaudit_use_script_fds($1_t)
+
-+ libs_exec_lib_files($1_usertype)
++ libs_exec_lib_files($1_t)
+
-+ logging_dontaudit_getattr_all_logs($1_usertype)
++ logging_dontaudit_getattr_all_logs($1_t)
+
-+ miscfiles_read_man_pages($1_usertype)
++ miscfiles_read_man_pages($1_t)
+ # for running TeX programs
-+ miscfiles_read_tetex_data($1_usertype)
-+ miscfiles_exec_tetex_data($1_usertype)
++ miscfiles_read_tetex_data($1_t)
++ miscfiles_exec_tetex_data($1_t)
+
-+ seutil_read_config($1_usertype)
++ seutil_read_config($1_t)
+
-+ files_dontaudit_list_default($1_usertype)
-+ files_dontaudit_read_default_files($1_usertype)
++ files_dontaudit_list_default($1_t)
++ files_dontaudit_read_default_files($1_t)
+
+ userdom_poly_home_template($1)
+ userdom_poly_tmp_template($1)
+
- optional_policy(`
-- rpm_read_db($1_t)
-- rpm_dontaudit_manage_db($1_t)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
++ optional_policy(`
++ cups_stream_connect($1_t)
++ cups_stream_connect_ptal($1_t)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ kerberos_use($1_usertype)
++ kerberos_use($1_t)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
- ')
-
- optional_policy(`
-- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
- ')
- ')
-
-+
- #######################################
- ## <summary>
--## The template for creating a unprivileged user.
-+## The template for creating a unprivileged login user.
- ## </summary>
- ## <desc>
- ## <p>
-@@ -962,21 +1020,16 @@
- ## </summary>
- ## </param>
- #
--template(`userdom_unpriv_user_template', `
--
-+template(`userdom_unpriv_login_user', `
- gen_require(`
-+ attribute unpriv_userdomain;
- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
- ')
--
-- ##############################
-- #
-- # Declarations
-- #
--
-- # Inherit rules for ordinary users.
-- userdom_common_user_template($1)
-+ userdom_login_user_template($1)
-+ userdom_privhome_user_template($1)
-
- typeattribute $1_t unpriv_userdomain;
-+
- domain_interactive_fd($1_t)
-
- typeattribute $1_devpts_t user_ptynode;
-@@ -985,36 +1038,68 @@
- typeattribute $1_tmp_t user_tmpfile;
- typeattribute $1_tty_device_t user_ttynode;
-
-- userdom_poly_home_template($1)
-- userdom_poly_tmp_template($1)
-+ auth_exec_pam($1_t)
++ quota_dontaudit_getattr_db($1_t)
++ ')
+
+ optional_policy(`
-+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+ ')
++ rpm_read_db($1_t)
++ rpm_dontaudit_manage_db($1_t)
+ ')
+')
+
++
+#######################################
+## <summary>
-+## The template for creating a unprivileged user.
++## The template for creating a unprivileged login user.
+## </summary>
+## <desc>
+## <p>
@@ -11416,78 +10929,85 @@
+## </summary>
+## </param>
+#
-+template(`userdom_unpriv_user_template', `
++template(`userdom_unpriv_login_user', `
++ gen_require(`
++ attribute unpriv_userdomain;
++ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
++ ')
++ userdom_login_user_template($1)
++ userdom_privhome_user_template($1)
++
++ typeattribute $1_t unpriv_userdomain;
++
++ domain_interactive_fd($1_t)
++
++ typeattribute $1_devpts_t user_ptynode;
++ typeattribute $1_home_dir_t user_home_dir_type;
++ typeattribute $1_home_t user_home_type;
++ typeattribute $1_tmp_t user_tmpfile;
++ typeattribute $1_tty_device_t user_ttynode;
+
++ auth_exec_pam($1_t)
+
+ optional_policy(`
+- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
++ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
+ ')
+
+@@ -964,9 +1057,7 @@
+ #
+ template(`userdom_unpriv_user_template', `
+
+- gen_require(`
+- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+- ')
+ userdom_unpriv_login_user($1)
##############################
#
-- # Local policy
-+ # Declarations
+@@ -976,25 +1067,11 @@
+ # Inherit rules for ordinary users.
+ userdom_common_user_template($1)
+
+- typeattribute $1_t unpriv_userdomain;
+- domain_interactive_fd($1_t)
+-
+- typeattribute $1_devpts_t user_ptynode;
+- typeattribute $1_home_dir_t user_home_dir_type;
+- typeattribute $1_home_t user_home_type;
+- typeattribute $1_tmp_t user_tmpfile;
+- typeattribute $1_tty_device_t user_ttynode;
+-
+- userdom_poly_home_template($1)
+- userdom_poly_tmp_template($1)
+-
+ ##############################
+ #
+ # Local policy
#
- corecmd_exec_all_executables($1_t)
-+ # Inherit rules for ordinary users.
-+ userdom_common_user_template($1)
-+
-+ ##############################
-+ #
-+ # Local policy
-+ #
-
+-
# port access is audited even if dac would not have allowed it, so dontaudit it here
-- corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_usertype)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
-- corenet_tcp_bind_xserver_port($1_t)
-+ corenet_tcp_bind_xserver_port($1_usertype)
-
-- files_exec_usr_files($1_t)
-+ files_exec_usr_files($1_usertype)
- # cjp: why?
-- files_read_kernel_symbol_table($1_t)
-+ files_read_kernel_symbol_table($1_usertype)
-
- ifndef(`enable_mls',`
-- fs_exec_noxattr($1_t)
-+ fs_exec_noxattr($1_usertype)
-
- tunable_policy(`user_rw_noexattrfile',`
-- fs_manage_noxattr_fs_files($1_t)
-- fs_manage_noxattr_fs_dirs($1_t)
-+ fs_manage_noxattr_fs_files($1_usertype)
-+ fs_manage_noxattr_fs_dirs($1_usertype)
- # Write floppies
-- storage_raw_read_removable_device($1_t)
-- storage_raw_write_removable_device($1_t)
-+ storage_raw_read_removable_device($1_usertype)
-+ storage_raw_write_removable_device($1_usertype)
- ',`
-- storage_raw_read_removable_device($1_t)
-+ storage_raw_read_removable_device($1_usertype)
- ')
+@@ -1033,14 +1110,6 @@
')
-@@ -1028,16 +1113,8 @@
- # the same domain and outside users) disabling this forces FTP passive mode
- # and may change other protocols
- tunable_policy(`user_tcp_server',`
-- corenet_tcp_bind_all_nodes($1_t)
-- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
+- kerberos_use($1_t)
- ')
-
- optional_policy(`
-- kerberos_use($1_t)
+- loadkeys_run($1_t,$1_r,$1_tty_device_t)
- ')
-
- optional_policy(`
-- loadkeys_run($1_t,$1_r,$1_tty_device_t)
-+ corenet_tcp_bind_all_nodes($1_usertype)
-+ corenet_tcp_bind_generic_port($1_usertype)
+ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-
- optional_policy(`
-@@ -1054,17 +1131,6 @@
+@@ -1054,17 +1123,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -11505,7 +11025,7 @@
')
#######################################
-@@ -1102,6 +1168,8 @@
+@@ -1102,6 +1160,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -11514,7 +11034,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1195,7 @@
+@@ -1127,7 +1187,7 @@
# $1_t local policy
#
@@ -11523,7 +11043,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,8 +1207,6 @@
+@@ -1139,8 +1199,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -11532,7 +11052,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1902,6 +1968,41 @@
+@@ -1902,6 +1960,41 @@
########################################
## <summary>
@@ -11574,7 +11094,7 @@
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -3078,7 +3179,7 @@
+@@ -3078,7 +3171,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -11583,7 +11103,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5424,7 @@
+@@ -5323,7 +5416,7 @@
attribute user_tmpfile;
')
@@ -11592,7 +11112,7 @@
')
########################################
-@@ -5548,6 +5649,26 @@
+@@ -5548,6 +5641,26 @@
########################################
## <summary>
@@ -11619,7 +11139,7 @@
## Unconfined access to user domains. (Deprecated)
## </summary>
## <param name="domain">
-@@ -5559,3 +5680,234 @@
+@@ -5559,3 +5672,233 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -11788,14 +11308,13 @@
+# Should be optional but policy will not build because of compiler problems
+# Must be before xwindows calls
+#optional_policy(`
-+ gnome_per_role_template($1, $1_usertype, $1_r)
++ gnome_per_role_template($1, $1_t, $1_r)
+ gnome_exec_gconf($1_t)
+#')
+
+userdom_xwindows_client_template($1)
-+allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+
-+logging_send_syslog_msg($1_usertype)
++logging_send_syslog_msg($1_t)
+
+optional_policy(`
+ alsa_read_rw_config($1_t)
@@ -11803,13 +11322,13 @@
+
+authlogin_per_role_template($1, $1_t, $1_r)
+
-+dev_read_sound($1_usertype)
-+dev_write_sound($1_usertype)
++dev_read_sound($1_t)
++dev_write_sound($1_t)
+
+optional_policy(`
-+ dbus_per_role_template($1, $1_usertype, $1_r)
-+ dbus_system_bus_client_template($1, $1_usertype)
-+ allow $1_usertype self:dbus send_msg;
++ dbus_per_role_template($1, $1_t, $1_r)
++ dbus_system_bus_client_template($1, $1_t)
++ allow $1_t self:dbus send_msg;
+')
+
+optional_policy(`
@@ -11829,7 +11348,7 @@
+')
+
+# gnome keyring wants to read this. Needs to be exlicitly granted
-+dev_dontaudit_read_rand($1_usertype)
++dev_dontaudit_read_rand($1_t)
+
+')
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.478
retrieving revision 1.479
diff -u -r1.478 -r1.479
--- selinux-policy.spec 23 Jul 2007 16:00:09 -0000 1.478
+++ selinux-policy.spec 23 Jul 2007 20:34:22 -0000 1.479
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.3
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@
%endif
%changelog
+* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-5
+- Add ntpd_key_t to handle secret data
+
* Fri Jul 20 2007 Dan Walsh <dwalsh at redhat.com> 3.0.3-4
- Add anon_inodefs
- Allow unpriv user exec pam_exec_t
More information about the scm-commits
mailing list