[selinux-policy/f14/master] - Allow chome to create netlink_route_socket - Add additional MATHLAB file context - Define nsplugin
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Oct 22 12:26:13 UTC 2010
commit 08a6dace8e27d6865a2c20df4ab11ceabff1c8b1
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Oct 22 08:26:04 2010 -0400
- Allow chome to create netlink_route_socket
- Add additional MATHLAB file context
- Define nsplugin as an application_domain
- Dontaudit sending signals from sandboxed domains to other domains
- systemd requires init to build /tmp /var/auth and /var/lock dirs
- mount wants to read devicekit_power /proc/ entries
- mpd wants to connect to soundd port
- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
- Treat lib_t and textrel_shlib_t directories the same
- Allow mount read access on virtual images
booleans-targeted.conf | 4 +
policy-F14.patch | 472 +++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 14 ++-
3 files changed, 342 insertions(+), 148 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 019ff76..c7f8c40 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,3 +1,7 @@
+# Allow local login and getty to use the console_device_t for logging in.
+#
+allow_console_login = true
+
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = true
diff --git a/policy-F14.patch b/policy-F14.patch
index 7957c71..15bd03c 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1864,10 +1864,10 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..0958247
+index 0000000..0738be8
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,93 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -1897,6 +1897,7 @@ index 0000000..0958247
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
++allow chrome_sandbox_t self:netlink_route_socket create_socket_perms;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@@ -3455,10 +3456,16 @@ index 66beb80..b7c6502 100644
+')
+
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
-index 86c1768..87d560b 100644
+index 86c1768..cd76e6a 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
-@@ -9,6 +9,7 @@
+@@ -5,10 +5,13 @@
+ /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
#
# /usr
#
@@ -3466,7 +3473,7 @@ index 86c1768..87d560b 100644
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -33,6 +34,9 @@
+@@ -33,6 +36,9 @@
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -4662,10 +4669,10 @@ index 0000000..4dbb161
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..1ca0e76
+index 0000000..182e476
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,312 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -4706,8 +4713,7 @@ index 0000000..1ca0e76
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
-+domain_type(nsplugin_t)
-+domain_entry_file(nsplugin_t, nsplugin_exec_t)
++application_domain(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
@@ -5812,10 +5818,10 @@ index 0000000..587c440
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..39f006a
+index 0000000..10b7c23
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,420 @@
+@@ -0,0 +1,427 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5970,7 +5976,7 @@ index 0000000..39f006a
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
-+dontaudit sandbox_x_domain self:process signal;
++dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -6016,6 +6022,8 @@ index 0000000..39f006a
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
++application_dontaudit_signal(sandbox_x_domain)
++
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
@@ -6024,6 +6032,10 @@ index 0000000..39f006a
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
++ consolekit_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
@@ -6181,11 +6193,11 @@ index 0000000..39f006a
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
-+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
++ alsa_read_rw_config(sandbox_web_type)
+')
+
+optional_policy(`
-+ consolekit_dbus_chat(sandbox_web_type)
++ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
@@ -6236,6 +6248,7 @@ index 0000000..39f006a
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
++
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..7455c19 100644
--- a/policy/modules/apps/seunshare.if
@@ -8363,7 +8376,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..3966eab 100644
+index 5302dac..0e4368f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8690,7 +8703,32 @@ index 5302dac..3966eab 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4109,6 +4355,13 @@ interface(`files_purge_tmp',`
+@@ -3950,6 +4196,24 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ## <summary>
++## Relabel a file from the type used in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4109,6 +4373,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8704,7 +8742,7 @@ index 5302dac..3966eab 100644
')
########################################
-@@ -4718,6 +4971,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +4989,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -8729,7 +8767,7 @@ index 5302dac..3966eab 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5053,6 +5324,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5342,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -8754,7 +8792,7 @@ index 5302dac..3966eab 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5138,12 +5427,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5445,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -8771,7 +8809,7 @@ index 5302dac..3966eab 100644
')
########################################
-@@ -5317,6 +5606,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5624,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8815,7 +8853,7 @@ index 5302dac..3966eab 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5524,6 +5850,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5868,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -8860,7 +8898,7 @@ index 5302dac..3966eab 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5541,6 +5905,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5923,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8905,7 +8943,7 @@ index 5302dac..3966eab 100644
')
########################################
-@@ -5826,3 +6228,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6246,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15038,7 +15076,7 @@ index 3e45431..fa57a6f 100644
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..67818fe 100644
+index 215b86b..913d2a9 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
@@ -15049,18 +15087,19 @@ index 215b86b..67818fe 100644
type bluetooth_t;
type bluetooth_exec_t;
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
-@@ -99,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
+@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
#search debugfs - redhat bug 548206
kernel_search_debugfs(bluetooth_t)
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_socket(bluetooth_t)
++ dev_rw_generic_chr_files(bluetooth_t)
+')
+
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_generic_if(bluetooth_t)
-@@ -147,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -17072,7 +17111,7 @@ index 0258b48..8fde016 100644
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index 42c6bd7..ac43a92 100644
+index 42c6bd7..8f23087 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -17087,7 +17126,35 @@ index 42c6bd7..ac43a92 100644
## </param>
#
interface(`consolekit_domtrans',`
-@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',`
+@@ -20,6 +20,27 @@ interface(`consolekit_domtrans',`
+
+ ########################################
+ ## <summary>
++## dontaudit Send and receive messages from
++## consolekit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`consolekit_dontaudit_dbus_chat',`
++ gen_require(`
++ type consolekit_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 consolekit_t:dbus send_msg;
++ dontaudit consolekit_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## consolekit over dbus.
+ ## </summary>
+@@ -41,6 +62,24 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
@@ -17112,7 +17179,7 @@ index 42c6bd7..ac43a92 100644
## Read consolekit log files.
## </summary>
## <param name="domain">
-@@ -95,3 +113,22 @@ interface(`consolekit_read_pid_files',`
+@@ -95,3 +134,22 @@ interface(`consolekit_read_pid_files',`
files_search_pids($1)
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
@@ -18711,7 +18778,7 @@ index 8ba9425..b10da2c 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..ab2edfc 100644
+index f706b99..c1ba3f2 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -18726,7 +18793,33 @@ index f706b99..ab2edfc 100644
## </param>
#
interface(`devicekit_domtrans',`
-@@ -147,16 +147,6 @@ interface(`devicekit_read_pid_files',`
+@@ -120,6 +120,25 @@ interface(`devicekit_dbus_chat_power',`
+
+ ########################################
+ ## <summary>
++## Allow the domain to read devicekit_power state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_read_state_power',`
++ gen_require(`
++ type devicekit_power_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, devicekit_power_t)
++')
++
++########################################
++## <summary>
+ ## Read devicekit PID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -147,16 +166,6 @@ interface(`devicekit_read_pid_files',`
## Domain allowed access.
## </summary>
## </param>
@@ -18743,7 +18836,7 @@ index f706b99..ab2edfc 100644
## <rolecap/>
#
interface(`devicekit_admin',`
-@@ -165,21 +155,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +174,22 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -18771,6 +18864,7 @@ index f706b99..ab2edfc 100644
- files_search_pids($1)
+ files_list_pids($1)
')
++
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index f231f17..3aaa784 100644
--- a/policy/modules/services/devicekit.te
@@ -23116,10 +23210,10 @@ index 0000000..311aaed
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
-index 0000000..84bc8bb
+index 0000000..68af4e8
--- /dev/null
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -23197,6 +23291,7 @@ index 0000000..84bc8bb
+corenet_tcp_connect_http_port(mpd_t)
+corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
++corenet_tcp_connect_soundd_port(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+
@@ -35622,7 +35717,7 @@ index 6f1e3c7..6a160b2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..f963642 100644
+index da2601a..0ad10f7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -36096,7 +36191,32 @@ index da2601a..f963642 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1052,7 +1155,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',`
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete xdm temporary dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_manage_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ## </summary>
+@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -36105,7 +36225,7 @@ index da2601a..f963642 100644
')
########################################
-@@ -1070,8 +1173,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -36117,7 +36237,7 @@ index da2601a..f963642 100644
')
########################################
-@@ -1185,6 +1290,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -36125,7 +36245,7 @@ index da2601a..f963642 100644
')
########################################
-@@ -1210,7 +1316,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -36134,7 +36254,7 @@ index da2601a..f963642 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1326,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -36159,7 +36279,7 @@ index da2601a..f963642 100644
')
########################################
-@@ -1243,10 +1359,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -37998,10 +38118,10 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..42784aa 100644
+index ac50333..a5678f1 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,39 @@ interface(`application_signull',`
+@@ -130,3 +130,57 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
@@ -38026,6 +38146,24 @@ index ac50333..42784aa 100644
+
+########################################
+## <summary>
++## Dontaudit signal sent to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`application_dontaudit_signal',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process signal;
++')
++
++########################################
++## <summary>
+## Send signal to all application domains.
+## </summary>
+## <param name="domain">
@@ -39073,7 +39211,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..2b0a437 100644
+index 8a105fd..ace700c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -39202,7 +39340,7 @@ index 8a105fd..2b0a437 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,89 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,92 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -39264,9 +39402,12 @@ index 8a105fd..2b0a437 100644
+ files_relabel_all_pid_files(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_manage_all_pids(init_t)
-+ files_manage_generic_locks(init_t)
++ files_manage_all_locks(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_manage_generic_tmp_files(init_t)
++ files_relabelfrom_tmp_files(init_t)
++
++ auth_manage_var_auth(init_t)
+')
+
optional_policy(`
@@ -39292,7 +39433,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -199,10 +310,19 @@ optional_policy(`
+@@ -199,10 +313,23 @@ optional_policy(`
')
optional_policy(`
@@ -39309,10 +39450,14 @@ index 8a105fd..2b0a437 100644
+')
+
+optional_policy(`
++ xserver_manage_xdm_tmp_dirs(init_t)
++')
++
++optional_policy(`
unconfined_domain(init_t)
')
-@@ -212,7 +332,7 @@ optional_policy(`
+@@ -212,7 +339,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39321,7 +39466,7 @@ index 8a105fd..2b0a437 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +361,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +368,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39329,7 +39474,7 @@ index 8a105fd..2b0a437 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +379,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +386,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39353,7 +39498,7 @@ index 8a105fd..2b0a437 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +424,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +431,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -39361,7 +39506,7 @@ index 8a105fd..2b0a437 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +432,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +439,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39377,7 +39522,7 @@ index 8a105fd..2b0a437 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +457,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +464,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39389,7 +39534,7 @@ index 8a105fd..2b0a437 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +476,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +483,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39403,7 +39548,7 @@ index 8a105fd..2b0a437 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +491,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +498,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39412,7 +39557,7 @@ index 8a105fd..2b0a437 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +505,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +512,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39420,7 +39565,7 @@ index 8a105fd..2b0a437 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +523,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +530,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39428,7 +39573,7 @@ index 8a105fd..2b0a437 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +538,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +545,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39444,7 +39589,7 @@ index 8a105fd..2b0a437 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +618,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +625,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39453,7 +39598,7 @@ index 8a105fd..2b0a437 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +664,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +671,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39473,7 +39618,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -526,10 +684,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +691,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39491,7 +39636,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -544,6 +709,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +716,35 @@ ifdef(`distro_suse',`
')
')
@@ -39527,7 +39672,7 @@ index 8a105fd..2b0a437 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +750,8 @@ optional_policy(`
+@@ -556,6 +757,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39536,7 +39681,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -572,6 +768,7 @@ optional_policy(`
+@@ -572,6 +775,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39544,7 +39689,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -584,6 +781,11 @@ optional_policy(`
+@@ -584,6 +788,11 @@ optional_policy(`
')
optional_policy(`
@@ -39556,7 +39701,7 @@ index 8a105fd..2b0a437 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +802,9 @@ optional_policy(`
+@@ -600,6 +809,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39566,7 +39711,7 @@ index 8a105fd..2b0a437 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +906,13 @@ optional_policy(`
+@@ -701,7 +913,13 @@ optional_policy(`
')
optional_policy(`
@@ -39580,7 +39725,7 @@ index 8a105fd..2b0a437 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +935,10 @@ optional_policy(`
+@@ -724,6 +942,10 @@ optional_policy(`
')
optional_policy(`
@@ -39591,7 +39736,7 @@ index 8a105fd..2b0a437 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +960,10 @@ optional_policy(`
+@@ -745,6 +967,10 @@ optional_policy(`
')
optional_policy(`
@@ -39602,7 +39747,7 @@ index 8a105fd..2b0a437 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +985,6 @@ optional_policy(`
+@@ -766,8 +992,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39611,7 +39756,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -776,14 +993,21 @@ optional_policy(`
+@@ -776,14 +1000,21 @@ optional_policy(`
')
optional_policy(`
@@ -39633,7 +39778,7 @@ index 8a105fd..2b0a437 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1029,19 @@ optional_policy(`
+@@ -805,11 +1036,19 @@ optional_policy(`
')
optional_policy(`
@@ -39654,7 +39799,7 @@ index 8a105fd..2b0a437 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1051,25 @@ optional_policy(`
+@@ -819,6 +1058,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -39680,7 +39825,7 @@ index 8a105fd..2b0a437 100644
')
optional_policy(`
-@@ -844,3 +1095,55 @@ optional_policy(`
+@@ -844,3 +1102,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -40456,7 +40601,7 @@ index 9df8c4d..0199a7d 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index d97d16d..ed1b8be 100644
+index d97d16d..ed84884 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
@@ -40486,7 +40631,31 @@ index d97d16d..ed1b8be 100644
## Use the dynamic link/loader for automatic loading
## of shared libraries.
## </summary>
-@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',`
+@@ -187,6 +207,23 @@ interface(`libs_search_lib',`
+
+ allow $1 lib_t:dir search_dir_perms;
+ ')
++########################################
++## <summary>
++## dontaudit attempts to setattr on library files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`libs_dontaudit_setattr_lib_files',`
++ gen_require(`
++ type lib_t;
++ ')
++
++ dontaudit $1 lib_t:file setattr;
++')
+
+ ########################################
+ ## <summary>
+@@ -383,7 +420,7 @@ interface(`libs_manage_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -40495,7 +40664,7 @@ index d97d16d..ed1b8be 100644
')
########################################
-@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',`
+@@ -402,9 +439,9 @@ interface(`libs_use_shared_libs',`
')
files_search_usr($1)
@@ -40508,7 +40677,7 @@ index d97d16d..ed1b8be 100644
allow $1 textrel_shlib_t:file execmod;
')
-@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',`
+@@ -445,7 +482,7 @@ interface(`libs_relabel_shared_libs',`
type lib_t, textrel_shlib_t;
')
@@ -41514,7 +41683,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..c960661 100644
+index fca6947..809442b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -41716,7 +41885,7 @@ index fca6947..c960661 100644
')
optional_policy(`
-@@ -173,6 +247,24 @@ optional_policy(`
+@@ -173,6 +247,28 @@ optional_policy(`
')
optional_policy(`
@@ -41724,6 +41893,10 @@ index fca6947..c960661 100644
+')
+
+optional_policy(`
++ devicekit_read_state_power(mount_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
@@ -41741,7 +41914,7 @@ index fca6947..c960661 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +272,40 @@ optional_policy(`
+@@ -180,13 +276,44 @@ optional_policy(`
')
')
@@ -41778,11 +41951,15 @@ index fca6947..c960661 100644
+')
+
+optional_policy(`
++ virt_read_blk_images(mount_t)
++')
++
++optional_policy(`
+ vmware_exec_host(mount_t)
')
########################################
-@@ -195,6 +314,42 @@ optional_policy(`
+@@ -195,6 +322,42 @@ optional_policy(`
#
optional_policy(`
@@ -43300,7 +43477,7 @@ index 8e71fb7..350d003 100644
+ role_transition $1 dhcpc_exec_t system_r;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..3663802 100644
+index dfbe736..5740b79 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -43363,7 +43540,7 @@ index dfbe736..3663802 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,6 +148,7 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -130,9 +148,11 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
@@ -43371,7 +43548,11 @@ index dfbe736..3663802 100644
logging_send_syslog_msg(dhcpc_t)
-@@ -155,6 +174,10 @@ optional_policy(`
++miscfiles_read_generic_certs(dhcpc_t)
+ miscfiles_read_localization(dhcpc_t)
+
+ modutils_domtrans_insmod(dhcpc_t)
+@@ -155,6 +175,10 @@ optional_policy(`
')
optional_policy(`
@@ -43382,7 +43563,7 @@ index dfbe736..3663802 100644
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +194,8 @@ optional_policy(`
+@@ -171,6 +195,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -43391,7 +43572,7 @@ index dfbe736..3663802 100644
')
optional_policy(`
-@@ -192,6 +217,13 @@ optional_policy(`
+@@ -192,6 +218,13 @@ optional_policy(`
')
optional_policy(`
@@ -43405,7 +43586,7 @@ index dfbe736..3663802 100644
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +245,7 @@ optional_policy(`
+@@ -213,6 +246,7 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -43413,7 +43594,7 @@ index dfbe736..3663802 100644
')
optional_policy(`
-@@ -276,8 +309,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +310,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -43425,7 +43606,7 @@ index dfbe736..3663802 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +341,8 @@ modutils_domtrans_insmod(ifconfig_t)
+@@ -305,6 +342,8 @@ modutils_domtrans_insmod(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
@@ -43434,7 +43615,7 @@ index dfbe736..3663802 100644
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +352,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,6 +353,10 @@ ifdef(`distro_ubuntu',`
')
')
@@ -43445,7 +43626,7 @@ index dfbe736..3663802 100644
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +369,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -327,6 +370,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -43454,7 +43635,7 @@ index dfbe736..3663802 100644
')
optional_policy(`
-@@ -334,6 +378,10 @@ optional_policy(`
+@@ -334,6 +379,10 @@ optional_policy(`
')
optional_policy(`
@@ -43465,7 +43646,7 @@ index dfbe736..3663802 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +403,9 @@ optional_policy(`
+@@ -355,3 +404,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -44373,7 +44554,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 35f1476..ad3b474 100644
+index 35f1476..addc01c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -45282,7 +45463,7 @@ index 35f1476..ad3b474 100644
##############################
#
# Local policy
-@@ -874,45 +1013,105 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1013,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -45305,6 +45486,8 @@ index 35f1476..ad3b474 100644
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
+
++ libs_dontaudit_setattr_lib_files($1_usertype)
++
+ tunable_policy(`user_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_usertype)
@@ -45399,7 +45582,7 @@ index 35f1476..ad3b474 100644
')
')
-@@ -947,7 +1146,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1148,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -45408,7 +45591,7 @@ index 35f1476..ad3b474 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1155,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1157,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -45493,30 +45676,30 @@ index 35f1476..ad3b474 100644
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ mount_run_fusermount($1_t, $1_r)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ postfix_run_postdrop($1_t, $1_r)
++ mount_run_fusermount($1_t, $1_r)
')
-+ # Run pppd in pppd_t by default for user
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ postfix_run_postdrop($1_t, $1_r)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1261,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1263,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -45525,7 +45708,7 @@ index 35f1476..ad3b474 100644
')
##############################
-@@ -1074,6 +1296,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1298,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -45535,7 +45718,7 @@ index 35f1476..ad3b474 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1313,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1315,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -45543,7 +45726,7 @@ index 35f1476..ad3b474 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1345,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1347,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45557,7 +45740,7 @@ index 35f1476..ad3b474 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1371,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1373,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -45565,7 +45748,7 @@ index 35f1476..ad3b474 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1440,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1442,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45574,7 +45757,7 @@ index 35f1476..ad3b474 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,6 +1469,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1471,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -45582,7 +45765,7 @@ index 35f1476..ad3b474 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1275,12 +1508,15 @@ template(`userdom_security_admin_template',`
+@@ -1275,12 +1510,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -45599,7 +45782,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1391,6 +1627,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1391,6 +1629,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45607,7 +45790,7 @@ index 35f1476..ad3b474 100644
files_search_home($1)
')
-@@ -1437,6 +1674,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1437,6 +1676,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45622,7 +45805,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1452,9 +1697,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1452,9 +1699,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45634,7 +45817,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1511,6 +1758,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1511,6 +1760,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45677,7 +45860,7 @@ index 35f1476..ad3b474 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1585,6 +1868,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1585,6 +1870,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45686,7 +45869,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1599,10 +1884,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1599,10 +1886,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45701,7 +45884,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1645,34 +1932,53 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1645,30 +1934,49 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -45737,10 +45920,9 @@ index 35f1476..ad3b474 100644
## <summary>
-## Domain allowed access.
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`userdom_mmap_user_home_content_files',`
++## </summary>
++## </param>
++#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
@@ -45756,14 +45938,10 @@ index 35f1476..ad3b474 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_mmap_user_home_content_files',`
- gen_require(`
- type user_home_dir_t, user_home_t;
- ')
-@@ -1696,12 +2002,32 @@ interface(`userdom_read_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+@@ -1696,12 +2004,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -45796,7 +45974,7 @@ index 35f1476..ad3b474 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1712,11 +2038,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1712,11 +2040,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -45814,7 +45992,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1806,8 +2135,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1806,8 +2137,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45824,7 +46002,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -1823,20 +2151,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1823,20 +2153,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45849,7 +46027,7 @@ index 35f1476..ad3b474 100644
########################################
## <summary>
-@@ -2178,7 +2500,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2178,7 +2502,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45858,7 +46036,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -2431,13 +2753,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2431,13 +2755,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -45874,7 +46052,7 @@ index 35f1476..ad3b474 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2458,26 +2781,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2458,26 +2783,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -45901,7 +46079,7 @@ index 35f1476..ad3b474 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2811,7 +3114,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2811,7 +3116,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -45910,7 +46088,7 @@ index 35f1476..ad3b474 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2827,11 +3130,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2827,11 +3132,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -45926,7 +46104,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -2913,7 +3218,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2913,7 +3220,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45935,7 +46113,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -2968,7 +3273,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2968,7 +3275,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -45982,7 +46160,7 @@ index 35f1476..ad3b474 100644
')
########################################
-@@ -3005,6 +3348,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3005,6 +3350,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -45990,7 +46168,7 @@ index 35f1476..ad3b474 100644
kernel_search_proc($1)
')
-@@ -3135,3 +3479,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3135,3 +3481,854 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f0315a2..709824d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,18 @@ exit 0
%endif
%changelog
+* Tue Oct 19 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-5
+- Allow chome to create netlink_route_socket
+- Add additional MATHLAB file context
+- Define nsplugin as an application_domain
+- Dontaudit sending signals from sandboxed domains to other domains
+- systemd requires init to build /tmp /var/auth and /var/lock dirs
+- mount wants to read devicekit_power /proc/ entries
+- mpd wants to connect to soundd port
+- Openoffice causes a setattr on a lib_t file for normal users, add dontaudit
+- Treat lib_t and textrel_shlib_t directories the same
+- Allow mount read access on virtual images
+
* Fri Oct 15 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-4
- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
- Allow devicekit_power to domtrans to mount
More information about the scm-commits
mailing list