rpms/selinux-policy/F-13 policy-F13.patch, 1.117, 1.118 selinux-policy.spec, 1.1019, 1.1020
Daniel J Walsh
dwalsh at fedoraproject.org
Mon May 24 21:07:03 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv9809
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Monu May 24 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-21
- Allow login programs to read krb5_home_t
Resolves: #594833
- Add obsoletes for cachefilesfd-selinux package
Resolves: #575084
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 +++
policy/modules/admin/accountsd.te | 56 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.te | 5
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 110 +-
policy/modules/admin/shorewall.te | 6
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 21
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 ++
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 1
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 6
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 385 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 13
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 32
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 32
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 91 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 112 ++
policy/modules/kernel/files.fc | 27
policy/modules/kernel/files.if | 653 +++++++++++-
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 34
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 98 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 435 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 9
policy/modules/services/abrt.if | 201 +++
policy/modules/services/abrt.te | 160 ++
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 44
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 118 ++
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 203 +++
policy/modules/services/apache.te | 234 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/bluetooth.if | 21
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 93 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 243 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 77 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 14
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 38
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 101 +
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.te | 67 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 76 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 47
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 533 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 37
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.te | 11
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 25
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 126 ++
policy/modules/services/networkmanager.te | 127 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 187 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 ++++-
policy/modules/services/postfix.te | 152 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 229 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 +++++++
policy/modules/services/rhcs.te | 240 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 1
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 59 -
policy/modules/services/virt.te | 99 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 451 ++++++++
policy/modules/services/xserver.te | 410 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 216 +++
policy/modules/system/ipsec.te | 17
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 21
policy/modules/system/iscsi.if | 18
policy/modules/system/libraries.fc | 152 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 23
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++-
policy/modules/system/mount.te | 152 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 25
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 10
policy/modules/system/userdomain.if | 1622 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 54
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 14
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
407 files changed, 23328 insertions(+), 2144 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -p -r1.117 -r1.118
--- policy-F13.patch 21 May 2010 13:24:44 -0000 1.117
+++ policy-F13.patch 24 May 2010 21:06:59 -0000 1.118
@@ -384,6 +384,21 @@ diff --exclude-from=exclude -N -u -r nsa
role system_r types consoletype_t;
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.19/policy/modules/admin/dmesg.te
+--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-05-24 12:17:32.000000000 -0400
+@@ -51,6 +51,11 @@
+ userdom_use_user_terminals(dmesg_t)
+
+ optional_policy(`
++ abrt_rw_fifo_file(dmesg_t)
++ abrt_manage_pid_files(dmesg_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.19/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-04-14 10:48:18.000000000 -0400
@@ -3405,7 +3420,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.19/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-04-28 12:18:06.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-24 17:06:20.000000000 -0400
@@ -21,6 +21,7 @@
type gpg_agent_t, gpg_agent_exec_t;
type gpg_agent_tmp_t;
@@ -3438,7 +3453,51 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -95,3 +102,65 @@
+@@ -78,6 +85,43 @@
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
+ ')
+
++######################################
++## <summary>
++## Transition to a gpg web domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gpg_domtrans_web',`
++ gen_require(`
++ type gpg_web_t, gpg_exec_t;
++ ')
++
++ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
++')
++
++######################################
++## <summary>
++## Make gpg an entrypoint for
++## the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which cifs_t is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`gpg_entry_type',`
++ gen_require(`
++ type gpg_exec_t;
++ ')
++
++ domain_entry_file($1, gpg_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Send generic signals to user gpg processes.
+@@ -95,3 +139,65 @@
allow $1 gpg_t:process signal;
')
@@ -3506,7 +3565,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.19/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-13 10:54:06.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-24 17:06:20.000000000 -0400
@@ -5,6 +5,7 @@
#
# Declarations
@@ -3515,11 +3574,19 @@ diff --exclude-from=exclude -N -u -r nsa
## <desc>
## <p>
-@@ -14,12 +15,13 @@
+@@ -14,12 +15,21 @@
## </desc>
gen_tunable(gpg_agent_env_file, false)
-type gpg_t;
++## <desc>
++## <p>
++## Allow gpg web domain to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(gpg_web_anon_write, false)
++
+type gpg_t, gpgdomain;
type gpg_exec_t;
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
@@ -3530,7 +3597,7 @@ diff --exclude-from=exclude -N -u -r nsa
type gpg_agent_t;
type gpg_agent_exec_t;
-@@ -45,6 +47,7 @@
+@@ -45,6 +55,7 @@
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
application_domain(gpg_helper_t, gpg_helper_exec_t)
ubac_constrained(gpg_helper_t)
@@ -3538,7 +3605,7 @@ diff --exclude-from=exclude -N -u -r nsa
type gpg_pinentry_t;
type pinentry_exec_t;
-@@ -53,22 +56,33 @@
+@@ -53,22 +64,38 @@
application_domain(gpg_pinentry_t, pinentry_exec_t)
ubac_constrained(gpg_pinentry_t)
@@ -3550,6 +3617,11 @@ diff --exclude-from=exclude -N -u -r nsa
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
++type gpg_web_t;
++domain_type(gpg_web_t)
++gpg_entry_type(gpg_web_t)
++role system_r types gpg_web_t;
++
########################################
#
# GPG local policy
@@ -3577,7 +3649,7 @@ diff --exclude-from=exclude -N -u -r nsa
# transition from the gpg domain to the helper domain
domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
-@@ -79,6 +93,9 @@
+@@ -79,6 +106,9 @@
kernel_read_sysctl(gpg_t)
@@ -3587,7 +3659,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_all_recvfrom_unlabeled(gpg_t)
corenet_all_recvfrom_netlabel(gpg_t)
corenet_tcp_sendrecv_generic_if(gpg_t)
-@@ -95,6 +112,7 @@
+@@ -95,6 +125,7 @@
dev_read_generic_usb_dev(gpg_t)
fs_getattr_xattr_fs(gpg_t)
@@ -3595,7 +3667,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(gpg_t)
-@@ -112,6 +130,8 @@
+@@ -112,6 +143,8 @@
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
@@ -3604,7 +3676,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_write_config(gpg_t)
-@@ -126,15 +146,20 @@
+@@ -126,15 +159,20 @@
')
optional_policy(`
@@ -3629,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# GPG helper local policy
-@@ -184,6 +209,7 @@
+@@ -184,6 +222,7 @@
#
# GPG agent local policy
#
@@ -3637,7 +3709,7 @@ diff --exclude-from=exclude -N -u -r nsa
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -202,10 +228,16 @@
+@@ -202,10 +241,16 @@
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
@@ -3654,7 +3726,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_use_interactive_fds(gpg_agent_t)
-@@ -215,6 +247,10 @@
+@@ -215,6 +260,10 @@
userdom_use_user_terminals(gpg_agent_t)
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
userdom_search_user_home_dirs(gpg_agent_t)
@@ -3665,7 +3737,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`gpg_agent_env_file',`
# write ~/.gpg-agent-info or a similar to the users home dir
-@@ -237,31 +273,74 @@
+@@ -237,31 +286,74 @@
fs_manage_cifs_symlinks(gpg_agent_t)
')
@@ -3741,7 +3813,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
')
-@@ -271,5 +350,25 @@
+@@ -271,5 +363,46 @@
')
optional_policy(`
@@ -3767,7 +3839,28 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
++')
++
++#############################
++#
++# gpg web local policy
++#
++
++allow gpg_web_t self:process setrlimit;
++
++can_exec(gpg_web_t, gpg_exec_t)
++
++files_read_usr_files(gpg_web_t)
++
++miscfiles_read_localization(gpg_web_t)
++
++apache_dontaudit_rw_tmp_files(gpg_web_t)
++apache_manage_sys_content_rw(gpg_web_t)
++
++tunable_policy(`gpg_web_anon_write',`
++ miscfiles_manage_public_files(gpg_web_t)
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.19/policy/modules/apps/irc.fc
--- nsaserefpolicy/policy/modules/apps/irc.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/apps/irc.fc 2010-04-14 10:48:18.000000000 -0400
@@ -9958,22 +10051,19 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.19/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-04-14 10:48:18.000000000 -0400
-@@ -16,6 +16,10 @@
++++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-05-24 14:22:21.000000000 -0400
+@@ -16,11 +16,7 @@
#
optional_policy(`
+- java_role_template(guest, guest_r, guest_t)
+ apache_role(guest_r, guest_t)
-+')
-+
-+optional_policy(`
- java_role_template(guest, guest_r, guest_t)
- ')
-
-@@ -23,4 +27,4 @@
- mono_role_template(guest, guest_r, guest_t)
')
+-optional_policy(`
+- mono_role_template(guest, guest_r, guest_t)
+-')
+-
-#gen_user(guest_u,, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te
@@ -9990,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsa
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-12 09:01:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-24 14:24:22.000000000 -0400
@@ -9,25 +9,56 @@
role staff_r;
@@ -11873,7 +11963,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-20 09:42:12.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-24 12:15:09.000000000 -0400
@@ -19,6 +19,28 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -12815,7 +12905,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-19 14:04:37.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-24 17:06:20.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -13040,10 +13130,35 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_var($1)
')
-@@ -843,6 +878,31 @@
+@@ -841,6 +876,54 @@
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
- ########################################
- ## <summary>
++######################################
++## <summary>
++## Allow the specified domain to manage
++## apache system content rw files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++########################################
++## <summary>
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
@@ -13067,12 +13182,10 @@ diff --exclude-from=exclude -N -u -r nsa
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## Execute all web scripts in the system
- ## script domain.
- ## </summary>
-@@ -858,6 +918,11 @@
+@@ -858,6 +941,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -13084,7 +13197,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1010,7 @@
+@@ -945,7 +1033,7 @@
type httpd_squirrelmail_t;
')
@@ -13093,7 +13206,33 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1102,7 +1167,7 @@
+@@ -1086,6 +1174,25 @@
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+ ')
+
++######################################
++## <summary>
++## Dontaudit attempts to read and write
++## apache tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ## Dontaudit attempts to write
+@@ -1102,7 +1209,7 @@
type httpd_tmp_t;
')
@@ -13102,7 +13241,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1172,7 +1237,7 @@
+@@ -1172,7 +1279,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -13111,7 +13250,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1267,44 @@
+@@ -1202,12 +1309,44 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -13159,7 +13298,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-19 11:32:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-24 17:06:20.000000000 -0400
@@ -19,11 +19,13 @@
# Declarations
#
@@ -13231,6 +13370,15 @@ diff --exclude-from=exclude -N -u -r nsa
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
+@@ -131,7 +161,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow httpd to run gpg
++## Allow httpd to run gpg in gpg-web domain
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_use_gpg, false)
@@ -143,6 +173,13 @@
## </desc>
gen_tunable(httpd_use_nfs, false)
@@ -13445,7 +13593,7 @@ diff --exclude-from=exclude -N -u -r nsa
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,6 +642,10 @@
+@@ -537,8 +642,12 @@
')
optional_policy(`
@@ -13454,8 +13602,11 @@ diff --exclude-from=exclude -N -u -r nsa
+
+optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
- gpg_domtrans(httpd_t)
+- gpg_domtrans(httpd_t)
++ gpg_domtrans_web(httpd_t)
')
+ ')
+
@@ -557,6 +666,7 @@
optional_policy(`
@@ -16554,7 +16705,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.19/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-05-24 11:06:51.000000000 -0400
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -16578,7 +16729,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-@@ -52,13 +57,22 @@
+@@ -52,13 +57,23 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -16597,6 +16748,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
++/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
@@ -19427,7 +19579,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-24 10:53:14.000000000 -0400
@@ -74,7 +74,7 @@
')
@@ -27213,7 +27365,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-05-21 10:39:51.000000000 -0400
@@ -20,6 +20,9 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -27294,9 +27446,12 @@ diff --exclude-from=exclude -N -u -r nsa
udev_read_db(sendmail_t)
')
-@@ -184,3 +197,4 @@
+@@ -182,5 +195,6 @@
+
+ optional_policy(`
mta_etc_filetrans_aliases(unconfined_sendmail_t)
- unconfined_domain(unconfined_sendmail_t)
+- unconfined_domain(unconfined_sendmail_t)
++ unconfined_domain_noaudit(unconfined_sendmail_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.19/policy/modules/services/setroubleshoot.fc
@@ -28724,6 +28879,14 @@ diff --exclude-from=exclude -N -u -r nsa
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc
+--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-05 14:44:26.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc 2010-05-24 12:21:35.000000000 -0400
+@@ -1,3 +1,3 @@
+ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
++/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-04-14 10:48:18.000000000 -0400
@@ -29894,7 +30057,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-17 08:29:34.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-24 10:43:35.000000000 -0400
@@ -36,6 +36,13 @@
## <desc>
@@ -30172,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +400,32 @@
+@@ -305,20 +400,33 @@
# XDM Local policy
#
@@ -30205,10 +30368,11 @@ diff --exclude-from=exclude -N -u -r nsa
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
++userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +433,53 @@
+@@ -326,32 +434,53 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -30267,7 +30431,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +487,13 @@
+@@ -359,10 +488,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -30281,7 +30445,7 @@ diff --exclude-from=exclude -N -u -r nsa
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +502,21 @@
+@@ -371,15 +503,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -30304,7 +30468,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +531,14 @@
+@@ -394,11 +532,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -30319,7 +30483,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +546,7 @@
+@@ -406,6 +547,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -30327,7 +30491,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +555,22 @@
+@@ -414,18 +556,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -30353,7 +30517,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +581,17 @@
+@@ -436,9 +582,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -30371,7 +30535,7 @@ diff --exclude-from=exclude -N -u -r nsa
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +600,19 @@
+@@ -447,14 +601,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -30391,7 +30555,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +623,12 @@
+@@ -465,10 +624,12 @@
logging_read_generic_logs(xdm_t)
@@ -30406,7 +30570,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +637,11 @@
+@@ -477,6 +638,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -30418,7 +30582,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +674,12 @@
+@@ -509,10 +675,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -30431,7 +30595,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -520,12 +687,50 @@
+@@ -520,12 +688,50 @@
')
optional_policy(`
@@ -30482,7 +30646,7 @@ diff --exclude-from=exclude -N -u -r nsa
hostname_exec(xdm_t)
')
-@@ -543,20 +748,59 @@
+@@ -543,20 +749,59 @@
')
optional_policy(`
@@ -30544,7 +30708,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +809,6 @@
+@@ -565,7 +810,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -30552,7 +30716,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +819,10 @@
+@@ -576,6 +820,10 @@
')
optional_policy(`
@@ -30563,7 +30727,7 @@ diff --exclude-from=exclude -N -u -r nsa
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +847,9 @@
+@@ -600,10 +848,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -30575,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +861,18 @@
+@@ -615,6 +862,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -30594,7 +30758,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +892,19 @@
+@@ -634,12 +893,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -30616,7 +30780,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +938,6 @@
+@@ -673,7 +939,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -30624,7 +30788,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +947,12 @@
+@@ -683,9 +948,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -30638,7 +30802,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +967,13 @@
+@@ -700,8 +968,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -30652,7 +30816,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +995,14 @@
+@@ -723,11 +996,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -30667,7 +30831,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1054,24 @@
+@@ -779,12 +1055,24 @@
')
optional_policy(`
@@ -30693,7 +30857,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1098,7 @@
+@@ -811,7 +1099,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -30702,7 +30866,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1119,14 @@
+@@ -832,9 +1120,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -30717,7 +30881,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1141,14 @@
+@@ -849,11 +1142,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -30734,7 +30898,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -999,3 +1294,33 @@
+@@ -999,3 +1295,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -30807,7 +30971,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-21 09:15:58.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-24 10:53:23.000000000 -0400
@@ -41,7 +41,6 @@
## </param>
#
@@ -30841,7 +31005,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +154,36 @@
+@@ -151,6 +154,40 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -30855,6 +31019,10 @@ diff --exclude-from=exclude -N -u -r nsa
+ ')
+
+ optional_policy(`
++ kerberos_read_config($1)
++ ')
++
++ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
+ ')
@@ -30878,7 +31046,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -365,13 +398,15 @@
+@@ -365,13 +402,15 @@
')
optional_policy(`
@@ -30895,7 +31063,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -418,6 +453,7 @@
+@@ -418,6 +457,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -30903,7 +31071,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1500,6 +1536,8 @@
+@@ -1500,6 +1540,8 @@
#
interface(`auth_use_nsswitch',`
@@ -30912,7 +31080,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1569,15 @@
+@@ -1531,7 +1573,15 @@
')
optional_policy(`
@@ -32814,6 +32982,19 @@ diff --exclude-from=exclude -N -u -r nsa
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.19/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-21 10:32:22.000000000 -0400
+@@ -305,9 +305,6 @@
+ allow $1 locale_t:dir list_dir_perms;
+ read_files_pattern($1, locale_t, locale_t)
+ read_lnk_files_pattern($1, locale_t, locale_t)
+-
+- # why?
+- libs_read_lib_files($1)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-04-14 10:48:18.000000000 -0400
@@ -35652,8 +35833,8 @@ diff --exclude-from=exclude -N -u -r nsa
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -1,4 +1,11 @@
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 14:15:38.000000000 -0400
+@@ -1,4 +1,12 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -35663,12 +35844,13 @@ diff --exclude-from=exclude -N -u -r nsa
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-17 09:19:46.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 14:25:06.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35927,8 +36109,8 @@ diff --exclude-from=exclude -N -u -r nsa
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
-+ fs_mount_nfs($2)
-+ fs_mounton_nfs($2)
++ fs_mount_nfs($2)
++ fs_mounton_nfs($2)
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
fs_manage_nfs_symlinks($2)
@@ -35940,8 +36122,8 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`use_samba_home_dirs',`
-+ fs_mount_cifs($2)
-+ fs_mounton_cifs($2)
++ fs_mount_cifs($2)
++ fs_mounton_cifs($2)
fs_manage_cifs_dirs($2)
fs_manage_cifs_files($2)
fs_manage_cifs_symlinks($2)
@@ -35953,15 +36135,55 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -303,6 +319,7 @@
+@@ -303,6 +319,47 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_files_pattern($2, user_tmp_t, user_tmp_t)
++')
++
++#######################################
++## <summary>
++## Execute user bin files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_exec_user_bin_files',`
++ gen_require(`
++ attribute user_home_type;
++ type home_bin_t, user_home_dir_t;
++ ')
++
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
++ files_search_home($1)
++')
++
++#######################################
++## <summary>
++## Execute user bin files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_exec_user_bin_files',`
++ gen_require(`
++ attribute user_home_type;
++ type home_bin_t, user_home_dir_t;
++ ')
++
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
++ files_search_home($1)
')
#######################################
-@@ -322,6 +339,7 @@
+@@ -322,6 +379,7 @@
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -35969,7 +36191,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_tmp($1)
')
-@@ -368,46 +386,41 @@
+@@ -368,46 +426,41 @@
#######################################
## <summary>
@@ -36036,7 +36258,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -438,6 +451,7 @@
+@@ -438,6 +491,7 @@
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -36044,7 +36266,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -498,7 +512,7 @@
+@@ -498,7 +552,7 @@
attribute unpriv_userdomain;
')
@@ -36053,7 +36275,7 @@ diff --exclude-from=exclude -N -u -r nsa
##############################
#
-@@ -508,71 +522,78 @@
+@@ -508,71 +562,78 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -36170,7 +36392,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
tunable_policy(`user_ttyfile_stat',`
-@@ -580,65 +601,104 @@
+@@ -580,65 +641,108 @@
')
optional_policy(`
@@ -36210,49 +36432,53 @@ diff --exclude-from=exclude -N -u -r nsa
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ hal_dbus_chat($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_var_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
- ')
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
')
optional_policy(`
@@ -36280,20 +36506,20 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ ')
++
++ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -649,41 +709,50 @@
+@@ -649,41 +753,50 @@
optional_policy(`
# to allow monitoring of pcmcia status
@@ -36355,7 +36581,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -711,13 +780,26 @@
+@@ -711,13 +824,26 @@
userdom_base_user_template($1)
@@ -36364,12 +36590,12 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -36387,7 +36613,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_change_password_template($1)
-@@ -735,70 +817,73 @@
+@@ -735,70 +861,73 @@
allow $1_t self:context contains;
@@ -36452,10 +36678,10 @@ diff --exclude-from=exclude -N -u -r nsa
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -36494,7 +36720,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -830,12 +915,35 @@
+@@ -830,12 +959,35 @@
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -36530,7 +36756,7 @@ diff --exclude-from=exclude -N -u -r nsa
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +979,83 @@
+@@ -871,45 +1023,83 @@
#
auth_role($1_r, $1_t)
@@ -36605,14 +36831,14 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ pulseaudio_role($1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
++ pulseaudio_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -36629,7 +36855,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -944,7 +1090,7 @@
+@@ -944,7 +1134,7 @@
#
# Inherit rules for ordinary users.
@@ -36638,7 +36864,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_common_user_template($1)
##############################
-@@ -953,54 +1099,73 @@
+@@ -953,54 +1143,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -36687,13 +36913,16 @@ diff --exclude-from=exclude -N -u -r nsa
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ games_rw_data($1_usertype)
+ ')
+
@@ -36727,22 +36956,19 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
- ')
-
++ ')
++
+ # Run pppd in pppd_t by default for user
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1036,7 +1201,7 @@
+@@ -1036,7 +1245,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36751,7 +36977,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
##############################
-@@ -1071,6 +1236,9 @@
+@@ -1071,6 +1280,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36761,7 +36987,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1253,7 @@
+@@ -1085,6 +1297,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36769,7 +36995,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1116,10 +1285,13 @@
+@@ -1116,10 +1329,13 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -36783,7 +37009,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1139,6 +1311,7 @@
+@@ -1139,6 +1355,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -36791,7 +37017,7 @@ diff --exclude-from=exclude -N -u -r nsa
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1380,8 @@
+@@ -1207,6 +1424,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36800,7 +37026,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1409,7 @@
+@@ -1234,6 +1453,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -36808,7 +37034,7 @@ diff --exclude-from=exclude -N -u -r nsa
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1448,15 @@
+@@ -1272,11 +1492,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -36824,7 +37050,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1387,6 +1567,7 @@
+@@ -1387,6 +1611,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36832,7 +37058,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_home($1)
')
-@@ -1433,6 +1614,14 @@
+@@ -1433,6 +1658,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36847,7 +37073,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1448,9 +1637,11 @@
+@@ -1448,9 +1681,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36859,7 +37085,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1507,6 +1698,42 @@
+@@ -1507,6 +1742,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36902,7 +37128,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1581,6 +1808,8 @@
+@@ -1581,6 +1852,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36911,7 +37137,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1595,10 +1824,12 @@
+@@ -1595,10 +1868,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -36926,7 +37152,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1641,6 +1872,24 @@
+@@ -1641,6 +1916,24 @@
########################################
## <summary>
@@ -36951,7 +37177,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1692,6 +1941,7 @@
+@@ -1692,6 +1985,7 @@
type user_home_dir_t, user_home_t;
')
@@ -36959,7 +37185,7 @@ diff --exclude-from=exclude -N -u -r nsa
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1958,14 @@
+@@ -1708,11 +2002,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36977,7 +37203,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1802,8 +2055,7 @@
+@@ -1802,8 +2099,7 @@
type user_home_dir_t, user_home_t;
')
@@ -36987,7 +37213,11 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1819,20 +2071,14 @@
+@@ -1815,24 +2111,17 @@
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -37012,7 +37242,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
-@@ -1866,6 +2112,7 @@
+@@ -1866,6 +2155,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -37020,7 +37250,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2349,25 @@
+@@ -2102,6 +2392,25 @@
########################################
## <summary>
@@ -37046,72 +37276,33 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to list user
## temporary directories.
## </summary>
-@@ -2218,7 +2484,7 @@
+@@ -2218,6 +2527,25 @@
########################################
## <summary>
--## Do not audit attempts to manage users
+## Do not audit attempts to write users
- ## temporary files.
- ## </summary>
- ## <param name="domain">
-@@ -2227,30 +2493,49 @@
- ## </summary>
- ## </param>
- #
--interface(`userdom_dontaudit_manage_user_tmp_files',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- dontaudit $1 user_tmp_t:file manage_file_perms;
-+ dontaudit $1 user_tmp_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read user temporary symbolic links.
-+## Do not audit attempts to manage users
+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_read_user_tmp_symlinks',`
-+interface(`userdom_dontaudit_manage_user_tmp_files',`
- gen_require(`
- type user_tmp_t;
- ')
-
-- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+ dontaudit $1 user_tmp_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_read_user_tmp_symlinks',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- allow $1 user_tmp_t:dir list_dir_perms;
- files_search_tmp($1)
- ')
-@@ -2427,13 +2712,14 @@
++ dontaudit $1 user_tmp_t:file write;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to manage users
+ ## temporary files.
+ ## </summary>
+@@ -2427,13 +2755,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -37127,7 +37318,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2740,24 @@
+@@ -2454,6 +2783,24 @@
########################################
## <summary>
@@ -37152,7 +37343,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3051,25 @@
+@@ -2747,6 +3094,25 @@
########################################
## <summary>
@@ -37178,7 +37369,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3110,7 @@
+@@ -2787,7 +3153,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -37187,7 +37378,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3126,13 @@
+@@ -2803,11 +3169,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -37203,7 +37394,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2944,7 +3269,7 @@
+@@ -2944,7 +3312,7 @@
type user_tmp_t;
')
@@ -37212,7 +37403,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2981,6 +3306,7 @@
+@@ -2981,6 +3349,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -37220,7 +37411,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_search_proc($1)
')
-@@ -3111,3 +3437,664 @@
+@@ -3111,3 +3480,682 @@
allow $1 userdomain:dbus send_msg;
')
@@ -37304,7 +37495,6 @@ diff --exclude-from=exclude -N -u -r nsa
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
@@ -37793,6 +37983,25 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ dontaudit $1 admin_home_t:file getattr;
+')
++
++########################################
++## <summary>
++## dontaudit read /root lnk files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_admin_home_lnk_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:lnk_file read;
++')
++
+########################################
+## <summary>
+## Create, read, write, and delete user
@@ -37887,7 +38096,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-04-15 10:24:19.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-24 14:17:00.000000000 -0400
@@ -29,13 +29,6 @@
## <desc>
@@ -37933,13 +38142,17 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
-@@ -97,3 +100,32 @@
+@@ -97,3 +100,36 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
-+type home_cert_t, user_home_type;
-+files_type(home_cert_t)
++type home_bin_t;
++userdom_user_home_content(home_bin_t)
++ubac_constrained(home_bin_t)
++
++type home_cert_t;
++userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1019
retrieving revision 1.1020
diff -u -p -r1.1019 -r1.1020
--- selinux-policy.spec 21 May 2010 13:24:46 -0000 1.1019
+++ selinux-policy.spec 24 May 2010 21:07:03 -0000 1.1020
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -316,6 +316,7 @@ Requires(pre): selinux-policy = %{versio
Requires: selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
+Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
%description targeted
@@ -468,6 +469,12 @@ exit 0
%endif
%changelog
+* Monu May 24 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-21
+- Allow login programs to read krb5_home_t
+Resolves: #594833
+- Add obsoletes for cachefilesfd-selinux package
+Resolves: #575084
+
* Thu May 20 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-20
- Allow mount to r/w abrt fifo file
Resolves: #594014
More information about the scm-commits
mailing list