[selinux-policy/f16] - Needs to require a new version of checkpolicy - Interface fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 20 14:34:49 UTC 2011
commit 8e14c650d498cce00058d722ef742b4922fafb92
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 20 16:34:20 2011 +0200
- Needs to require a new version of checkpolicy
- Interface fixes
policy-F16.patch | 478 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 8 +-
2 files changed, 276 insertions(+), 210 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index badcf4e..4ff9a1d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4705,7 +4705,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..ab334b0 100644
+index f5afe78..8136040 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,731 @@
@@ -5583,7 +5583,7 @@ index f5afe78..ab334b0 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +831,355 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -5911,6 +5911,7 @@ index f5afe78..ab334b0 100644
+ # /root/.color/icc: legacy
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
++
+######################################
+## <summary>
+## Execute gnome-keyring executable
@@ -17131,7 +17132,7 @@ index 6346378..8c500cd 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..e8faa88 100644
+index d91c62f..c857dc0 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
@@ -17312,7 +17313,7 @@ index d91c62f..e8faa88 100644
+ # calls sched_setscheduler()
+ allow can_load_kernmodule self:capability sys_nice;
+ kernel_setsched(can_load_kernmodule)
-+'}
++}
+
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..6bb6529 100644
@@ -20343,10 +20344,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..90243b0
+index 0000000..1105ff5
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,502 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -20580,7 +20581,6 @@ index 0000000..90243b0
+
+optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
-+ alsa_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22383,7 +22383,7 @@ index 9e39aa5..d7a8d41 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..13d57b7 100644
+index 6480167..6a02978 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -22893,7 +22893,20 @@ index 6480167..13d57b7 100644
')
########################################
-@@ -1170,17 +1360,15 @@ interface(`apache_cgi_domain',`
+@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',`
+ ## <summary>
+ ## All of the rules required to administrate an apache environment
+ ## </summary>
+-## <param name="prefix">
+-## <summary>
+-## Prefix of the domain. Example, user would be
+-## the prefix for the uder_t domain.
+-## </summary>
+-## </param>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -22916,7 +22929,7 @@ index 6480167..13d57b7 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1379,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1373,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -22929,7 +22942,7 @@ index 6480167..13d57b7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1393,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1387,69 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -24280,7 +24293,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..c873197 100644
+index b3b0176..7cc09e8 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -24296,15 +24309,17 @@ index b3b0176..c873197 100644
type asterisk_tmpfs_t;
files_tmpfs_file(asterisk_tmpfs_t)
-@@ -39,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
+@@ -39,8 +40,8 @@ files_pid_file(asterisk_var_run_t)
#
# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
+-dontaudit asterisk_t self:capability sys_tty_config;
+allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
- dontaudit asterisk_t self:capability sys_tty_config;
++dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
+ allow asterisk_t self:sem create_sem_perms;
@@ -76,10 +77,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -24565,7 +24580,7 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..991629d 100644
+index 4deca04..5f387b2 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -24629,7 +24644,7 @@ index 4deca04..991629d 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -198,15 +211,14 @@ allow ndc_t self:process { fork signal_perms };
+@@ -198,18 +211,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
@@ -24647,7 +24662,11 @@ index 4deca04..991629d 100644
allow ndc_t named_zone_t:dir search_dir_perms;
-@@ -228,6 +240,8 @@ files_search_pids(ndc_t)
++kernel_read_system_state(ndc_t)
+ kernel_read_kernel_sysctls(ndc_t)
+
+ corenet_all_recvfrom_unlabeled(ndc_t)
+@@ -228,6 +241,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -24656,7 +24675,7 @@ index 4deca04..991629d 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,24 +249,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +250,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -26578,7 +26597,7 @@ index fd8cd0b..3d61138 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..82d2d24 100644
+index 9a0da94..5383054 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -26606,7 +26625,7 @@ index 9a0da94..82d2d24 100644
####################################
## <summary>
## Execute chronyd
-@@ -56,6 +74,123 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,126 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -26680,6 +26699,7 @@ index 9a0da94..82d2d24 100644
+#
+interface(`chronyd_systemctl',`
+ gen_require(`
++ type chronyd_t;
+ type chronyd_unit_t;
+ ')
+
@@ -26687,6 +26707,8 @@ index 9a0da94..82d2d24 100644
+ systemd_search_unit_dirs($1)
+ allow $1 chronyd_unit_t:file read_file_perms;
+ allow $1 chronyd_unit_t:service all_service_perms;
++
++ ps_process_pattern($1, chronyd_t)
+')
+
+########################################
@@ -26730,7 +26752,7 @@ index 9a0da94..82d2d24 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +210,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +213,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -26743,7 +26765,7 @@ index 9a0da94..82d2d24 100644
')
allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +223,19 @@ interface(`chronyd_admin',`
+@@ -88,18 +226,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -31638,7 +31660,7 @@ index 0000000..c6cbc80
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
-index 0000000..a951202
+index 0000000..332a1c9
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.if
@@ -0,0 +1,134 @@
@@ -31773,7 +31795,7 @@ index 0000000..a951202
+ ')
+
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
-+ allow httpd_t dirsrvadmin_unconfined_script_t:process signal_perms;
++ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
+
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
@@ -33612,7 +33634,7 @@ index 6bef7f8..464669c 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..12ade3b 100644
+index f28f64b..05784e2 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -33675,7 +33697,15 @@ index f28f64b..12ade3b 100644
corecmd_search_bin(exim_t)
-@@ -171,6 +174,10 @@ optional_policy(`
+@@ -108,6 +111,7 @@ domain_use_interactive_fds(exim_t)
+
+ files_search_usr(exim_t)
+ files_search_var(exim_t)
++files_read_usr_files(exim_t)
+ files_read_etc_files(exim_t)
+ files_read_etc_runtime_files(exim_t)
+ files_getattr_all_mountpoints(exim_t)
+@@ -171,6 +175,10 @@ optional_policy(`
')
optional_policy(`
@@ -33686,7 +33716,7 @@ index f28f64b..12ade3b 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +191,7 @@ optional_policy(`
+@@ -184,6 +192,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -42562,7 +42592,7 @@ index 15448d5..b6b42c1 100644
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..6314fa6 100644
+index abe3f7f..2de87de 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -42616,7 +42646,7 @@ index abe3f7f..6314fa6 100644
## Read ypserv configuration files.
## </summary>
## <param name="domain">
-@@ -337,6 +318,48 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -337,6 +318,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -42631,12 +42661,15 @@ index abe3f7f..6314fa6 100644
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_t;
++ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 ypbind_unit_t:file read_file_perms;
+ allow $1 ypbind_unit_t:service all_service_perms;
++
++ ps_process_pattern($1, ypbind_t)
+')
+
+########################################
@@ -42652,12 +42685,18 @@ index abe3f7f..6314fa6 100644
+interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_t;
++ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 nis_unit_t:file read_file_perms;
+ allow $1 nis_unit_t:service all_service_perms;
++
++ ps_process_pattern($1, ypbind_t)
++ ps_process_pattern($1, yppasswdd_t)
++ ps_process_pattern($1, ypserv_t)
++ ps_process_pattern($1, ypxfr_t)
+')
+
+########################################
@@ -42665,7 +42704,7 @@ index abe3f7f..6314fa6 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,10 +377,10 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,10 +386,10 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -42678,7 +42717,7 @@ index abe3f7f..6314fa6 100644
')
allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -384,6 +407,7 @@ interface(`nis_admin',`
+@@ -384,6 +416,7 @@ interface(`nis_admin',`
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
@@ -42686,7 +42725,7 @@ index abe3f7f..6314fa6 100644
admin_pattern($1, yppasswdd_var_run_t)
-@@ -393,4 +417,5 @@ interface(`nis_admin',`
+@@ -393,4 +426,5 @@ interface(`nis_admin',`
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
@@ -43005,10 +43044,10 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..e3d6ebb 100644
+index e80f8c0..4b93b29 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -98,6 +98,46 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -43044,18 +43083,21 @@ index e80f8c0..e3d6ebb 100644
+interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_t;
++ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
+ allow $1 ntpd_unit_t:file read_file_perms;
+ allow $1 ntpd_unit_t:service all_service_perms;
++
++ ps_process_pattern($1, ntpd_t)
+')
+
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +162,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +165,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -43081,7 +43123,7 @@ index e80f8c0..e3d6ebb 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,11 +199,10 @@ interface(`ntp_rw_shm',`
+@@ -140,11 +202,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -43095,7 +43137,7 @@ index e80f8c0..e3d6ebb 100644
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-@@ -162,4 +220,6 @@ interface(`ntp_admin',`
+@@ -162,4 +223,6 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -46431,7 +46473,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..95a25b6 100644
+index 2af42e7..0d51fe4 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -46540,7 +46582,7 @@ index 2af42e7..95a25b6 100644
')
optional_policy(`
-@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -46551,7 +46593,14 @@ index 2af42e7..95a25b6 100644
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
kernel_list_proc(pptp_t)
++kernel_signal(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
+ kernel_read_system_state(pptp_t)
++kernel_signal(pptp_t)
+
+ dev_read_sysfs(pptp_t)
+
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..77ef768 100644
--- a/policy/modules/services/prelude.if
@@ -47640,7 +47689,7 @@ index 0055e54..f988f51 100644
/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
-index a55bf44..27007ed 100644
+index a55bf44..c6dee66 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
@@ -47685,7 +47734,7 @@ index a55bf44..27007ed 100644
+## Create, read, write, and delete qmail
+## spool directories.
+## </summary>
-+## <param name="prefix">
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -47704,7 +47753,7 @@ index a55bf44..27007ed 100644
+## Create, read, write, and delete qmail
+## spool files.
+## </summary>
-+## <param name="prefix">
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -52119,10 +52168,10 @@ index 0000000..b077a62
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
-index 0000000..ea10ecc
+index 0000000..067c552
--- /dev/null
+++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,108 @@
+policy_module(sblim, 1.0.0)
+
+########################################
@@ -52150,6 +52199,7 @@ index 0000000..ea10ecc
+
+#needed by ps
+allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
++allow sblim_gatherd_t self:process signal;
+
+allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
@@ -52184,6 +52234,7 @@ index 0000000..ea10ecc
+')
+
+optional_policy(`
++ ssh_signull(sblim_gatherd_t)
+ sysnet_dns_name_resolve(sblim_gatherd_t)
+')
+
@@ -52228,6 +52279,7 @@ index 0000000..ea10ecc
+files_read_etc_files(sblim_domain)
+
+miscfiles_read_localization(sblim_domain)
++
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
@@ -52772,7 +52824,7 @@ index 275f9fb..4f4a192 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..0c5769c 100644
+index 3d8d1b3..633e4ce 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -52813,7 +52865,7 @@ index 3d8d1b3..0c5769c 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,9 +100,10 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
@@ -52825,7 +52877,12 @@ index 3d8d1b3..0c5769c 100644
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
-@@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t)
++# need write to /var/run/systemd/notify
++init_write_pid_socket(snmpd_t)
+
+ logging_send_syslog_msg(snmpd_t)
+
+@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -69973,7 +70030,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..10ddf7d 100644
+index 4b2878a..fe5913a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -70601,38 +70658,34 @@ index 4b2878a..10ddf7d 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +672,124 @@ template(`userdom_common_user_template',`
+@@ -574,67 +672,117 @@ template(`userdom_common_user_template',`
')
optional_policy(`
-+ alsa_read_rw_config($1_usertype)
- alsa_manage_home_files($1_t)
+- alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
- alsa_relabel_home_files($1_t)
-+ alsa_filetrans_named_content($1_t)
+- alsa_relabel_home_files($1_t)
++ # Allow graphical boot to check battery lifespan
++ apm_stream_connect($1_usertype)
')
optional_policy(`
- # Allow graphical boot to check battery lifespan
+- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
-+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ canna_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
++ colord_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -70640,64 +70693,66 @@ index 4b2878a..10ddf7d 100644
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ policykit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ bluetooth_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ policykit_dbus_chat($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ bluetooth_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ gnome_dbus_chat_gconfdefault($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ hal_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
+ ')
+
@@ -70707,22 +70762,20 @@ index 4b2878a..10ddf7d 100644
')
optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ lircd_stream_connect($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
++ lircd_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -70730,21 +70783,21 @@ index 4b2878a..10ddf7d 100644
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
++ ')
++
++ optional_policy(`
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
++ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
-+ mta_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
')
optional_policy(`
-@@ -650,41 +805,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +798,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -70806,7 +70859,7 @@ index 4b2878a..10ddf7d 100644
')
#######################################
-@@ -712,13 +876,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +869,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -70815,12 +70868,12 @@ index 4b2878a..10ddf7d 100644
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -70838,7 +70891,7 @@ index 4b2878a..10ddf7d 100644
userdom_change_password_template($1)
-@@ -736,72 +913,76 @@ template(`userdom_login_user_template', `
+@@ -736,72 +906,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -70906,10 +70959,10 @@ index 4b2878a..10ddf7d 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -70948,7 +71001,7 @@ index 4b2878a..10ddf7d 100644
')
')
-@@ -833,6 +1014,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1007,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -70958,7 +71011,7 @@ index 4b2878a..10ddf7d 100644
##############################
#
# Local policy
-@@ -874,45 +1058,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1051,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -71037,26 +71090,27 @@ index 4b2878a..10ddf7d 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
- ')
++ ')
optional_policy(`
-- cups_dbus_chat($1_t)
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -71068,10 +71122,9 @@ index 4b2878a..10ddf7d 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -71088,7 +71141,7 @@ index 4b2878a..10ddf7d 100644
')
')
-@@ -947,7 +1204,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1197,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -71097,7 +71150,7 @@ index 4b2878a..10ddf7d 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1213,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1206,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -71115,7 +71168,7 @@ index 4b2878a..10ddf7d 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1238,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1231,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -71174,9 +71227,11 @@ index 4b2878a..10ddf7d 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -71187,17 +71242,15 @@ index 4b2878a..10ddf7d 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1312,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -71208,7 +71261,7 @@ index 4b2878a..10ddf7d 100644
')
')
-@@ -1039,7 +1350,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -71217,7 +71270,7 @@ index 4b2878a..10ddf7d 100644
')
##############################
-@@ -1066,6 +1377,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -71225,7 +71278,7 @@ index 4b2878a..10ddf7d 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1386,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -71235,7 +71288,7 @@ index 4b2878a..10ddf7d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1403,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -71243,7 +71296,7 @@ index 4b2878a..10ddf7d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1421,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -71257,7 +71310,7 @@ index 4b2878a..10ddf7d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1438,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1431,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -71300,7 +71353,7 @@ index 4b2878a..10ddf7d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1479,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1472,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -71309,7 +71362,7 @@ index 4b2878a..10ddf7d 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1540,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1533,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -71318,7 +71371,7 @@ index 4b2878a..10ddf7d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1554,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1547,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -71329,7 +71382,7 @@ index 4b2878a..10ddf7d 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1567,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1560,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -71358,7 +71411,7 @@ index 4b2878a..10ddf7d 100644
')
optional_policy(`
-@@ -1251,12 +1595,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1588,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -71374,7 +71427,7 @@ index 4b2878a..10ddf7d 100644
')
optional_policy(`
-@@ -1279,54 +1623,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1616,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -71456,13 +71509,14 @@ index 4b2878a..10ddf7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,7 +1690,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,9 +1683,46 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
-+ gen_require(`
+ gen_require(`
+- type user_devpts_t;
+ attribute admindomain;
+ ')
+
@@ -71499,10 +71553,12 @@ index 4b2878a..10ddf7d 100644
+## </param>
+#
+interface(`userdom_create_user_pty',`
- gen_require(`
- type user_devpts_t;
++ gen_require(`
++ type user_devpts_t;
')
-@@ -1395,6 +1788,7 @@ interface(`userdom_search_user_home_dirs',`
+
+ term_create_pty($1, user_devpts_t)
+@@ -1395,6 +1781,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -71510,7 +71566,7 @@ index 4b2878a..10ddf7d 100644
files_search_home($1)
')
-@@ -1441,6 +1835,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1828,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -71525,7 +71581,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1456,9 +1858,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1851,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -71537,7 +71593,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1515,6 +1919,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1912,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -71580,7 +71636,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2029,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2022,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -71589,7 +71645,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1603,10 +2045,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2038,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -71604,7 +71660,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1649,6 +2093,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2086,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -71648,7 +71704,7 @@ index 4b2878a..10ddf7d 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2149,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2142,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -71674,7 +71730,7 @@ index 4b2878a..10ddf7d 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2200,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2193,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -71707,7 +71763,7 @@ index 4b2878a..10ddf7d 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2229,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -71725,7 +71781,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2295,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -71786,7 +71842,7 @@ index 4b2878a..10ddf7d 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2380,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -71796,7 +71852,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2396,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -71821,7 +71877,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
-@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2504,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -71846,7 +71902,7 @@ index 4b2878a..10ddf7d 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2589,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -71855,7 +71911,7 @@ index 4b2878a..10ddf7d 100644
files_search_home($1)
')
-@@ -2039,7 +2627,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2620,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -71864,7 +71920,7 @@ index 4b2878a..10ddf7d 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2763,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -71873,7 +71929,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2971,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -71882,7 +71938,7 @@ index 4b2878a..10ddf7d 100644
files_search_tmp($1)
')
-@@ -2435,13 +3023,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3016,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -71898,7 +71954,7 @@ index 4b2878a..10ddf7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3051,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3044,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -71925,7 +71981,7 @@ index 4b2878a..10ddf7d 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3141,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3134,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -71934,7 +71990,7 @@ index 4b2878a..10ddf7d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3149,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3142,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -72006,9 +72062,8 @@ index 4b2878a..10ddf7d 100644
gen_require(`
- type user_tty_device_t, user_devpts_t;
+ type user_devpts_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++ ')
++
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
@@ -72075,9 +72130,9 @@ index 4b2878a..10ddf7d 100644
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
-+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -72103,7 +72158,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2713,6 +3350,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3343,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72128,7 +72183,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3391,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3384,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72153,7 +72208,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3409,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3402,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -72179,7 +72234,7 @@ index 4b2878a..10ddf7d 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3470,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3463,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -72188,7 +72243,7 @@ index 4b2878a..10ddf7d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3486,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3479,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -72222,7 +72277,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -2972,7 +3574,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3567,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -72231,7 +72286,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -3027,7 +3629,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3622,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -72278,7 +72333,7 @@ index 4b2878a..10ddf7d 100644
')
########################################
-@@ -3064,6 +3704,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3697,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -72286,7 +72341,7 @@ index 4b2878a..10ddf7d 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3783,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3776,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -72311,7 +72366,7 @@ index 4b2878a..10ddf7d 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3853,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3846,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -73389,7 +73444,7 @@ index 4b2878a..10ddf7d 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..6bdf7f7 100644
+index 9b4a930..02686f5 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -73442,7 +73497,7 @@ index 9b4a930..6bdf7f7 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,66 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -73501,6 +73556,13 @@ index 9b4a930..6bdf7f7 100644
+dontaudit unpriv_userdomain self:dir setattr;
+
+optional_policy(`
++ alsa_read_rw_config(unpriv_userdomain)
++ alsa_manage_home_files(unpriv_userdomain)
++ alsa_relabel_home_files(unpriv_userdomain)
++ alsa_filetrans_named_content(unpriv_userdomain)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(userdomain)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ad73f3d..6dfe590 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -13,11 +13,11 @@
%define POLICYVER 26
%define libsepolver 2.0.44-2
%define POLICYCOREUTILSVER 2.0.86-12
-%define CHECKPOLICYVER 2.0.26-1
+%define CHECKPOLICYVER 2.1.3-1.1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,6 +468,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-31
+- Needs to require a new version of checkpolicy
+- Interface fixes
+
* Mon Sep 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-30
- systemd needs to read lnk files of systemd unit files
- FIx userdom filetrans rule to take all params
More information about the scm-commits
mailing list