[selinux-policy/f18] - Add new selinuxuser_use_ssh_chroot boolean - dbus needs to be able to read/write inherite - Cleanu
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 26 10:53:45 UTC 2012
commit a7ad855c36af0f64879210d91b2febfc7d70b71a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 26 12:53:31 2012 +0200
- Add new selinuxuser_use_ssh_chroot boolean
- dbus needs to be able to read/write inherite
- Cleanup netutils process allow rule
- Dontaudit leaked fifo files from openshift t
- sanlock needs to read mnt_t lnk files
- Fail2ban needs to setsched and sys_nice
policy-rawhide.patch | 704 ++++++++++++++++++++++++++++--------------
policy_contrib-rawhide.patch | 48 ++-
selinux-policy.spec | 10 +-
3 files changed, 507 insertions(+), 255 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 14d84c2..5bcfad6 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -109515,7 +109515,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..dc115e8 100644
+index e0791b9..f0c6208 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.0)
@@ -109531,11 +109531,12 @@ index e0791b9..dc115e8 100644
type netutils_t;
type netutils_exec_t;
-@@ -36,11 +36,13 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+@@ -35,12 +35,13 @@ init_system_domain(traceroute_t, traceroute_exec_t)
+ # Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
dontaudit netutils_t self:capability sys_tty_config;
- allow netutils_t self:process signal_perms;
-+allow netutils_t self:process setcap;
+-allow netutils_t self:process signal_perms;
++allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -109545,7 +109546,7 @@ index e0791b9..dc115e8 100644
manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -48,8 +50,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+@@ -48,8 +49,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)
@@ -109556,7 +109557,7 @@ index e0791b9..dc115e8 100644
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_generic_if(netutils_t)
corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -64,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@@ -109566,7 +109567,7 @@ index e0791b9..dc115e8 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -80,10 +86,9 @@ auth_use_nsswitch(netutils_t)
+@@ -80,10 +85,9 @@ auth_use_nsswitch(netutils_t)
logging_send_syslog_msg(netutils_t)
@@ -109578,7 +109579,7 @@ index e0791b9..dc115e8 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
-@@ -104,13 +109,14 @@ optional_policy(`
+@@ -104,13 +108,14 @@ optional_policy(`
#
allow ping_t self:capability { setuid net_raw };
@@ -109594,6 +109595,14 @@ index e0791b9..dc115e8 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
+@@ -120,6 +125,7 @@ corenet_raw_bind_generic_node(ping_t)
+ corenet_tcp_sendrecv_all_ports(ping_t)
+
+ fs_dontaudit_getattr_xattr_fs(ping_t)
++fs_dontaudit_rw_anon_inodefs_files(ping_t)
+
+ domain_use_interactive_fds(ping_t)
+
@@ -130,11 +136,9 @@ kernel_read_system_state(ping_t)
auth_use_nsswitch(ping_t)
@@ -109634,12 +109643,13 @@ index e0791b9..dc115e8 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +175,14 @@ optional_policy(`
+@@ -157,6 +175,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
+optional_policy(`
+ openshift_rw_inherited_content(ping_t)
++ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
+')
+
+optional_policy(`
@@ -109649,7 +109659,7 @@ index e0791b9..dc115e8 100644
########################################
#
# Traceroute local policy
-@@ -170,7 +196,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -170,7 +197,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -109657,7 +109667,7 @@ index e0791b9..dc115e8 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -194,6 +219,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +220,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -109665,7 +109675,7 @@ index e0791b9..dc115e8 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -202,11 +228,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -202,11 +229,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@@ -120501,10 +120511,36 @@ index 54f1827..a2d5eaa 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..9282b84 100644
+index 1700ef2..5b6d5d6 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
-@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
+@@ -22,6 +22,25 @@ interface(`storage_getattr_fixed_disk_dev',`
+
+ ########################################
+ ## <summary>
++## Allow the caller to read/write inherited fixed disk
++## device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`storage_rw_inherited_fixed_disk_dev',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ allow $1 fixed_disk_device_t:chr_file { read write };
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts made by the caller to get
+ ## the attributes of fixed disk device nodes.
+ ## </summary>
+@@ -101,6 +120,8 @@ interface(`storage_raw_read_fixed_disk',`
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
@@ -120513,7 +120549,7 @@ index 1700ef2..9282b84 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -205,6 +207,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -205,6 +226,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -120521,7 +120557,7 @@ index 1700ef2..9282b84 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +272,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +291,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@@ -120570,7 +120606,7 @@ index 1700ef2..9282b84 100644
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
-@@ -808,3 +853,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +872,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -141322,7 +141358,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..1c8d838 100644
+index e720dcd..86d9141 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -142241,7 +142277,7 @@ index e720dcd..1c8d838 100644
userdom_change_password_template($1)
-@@ -727,82 +936,96 @@ template(`userdom_login_user_template', `
+@@ -727,82 +936,100 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -142249,6 +142285,10 @@ index e720dcd..1c8d838 100644
- allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
++
++ tunable_policy(`selinuxuser_use_ssh_chroot',`
++ allow $1_t self:capability { setuid sys_chroot };
++ ')
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
@@ -142374,7 +142414,7 @@ index e720dcd..1c8d838 100644
')
')
-@@ -834,6 +1057,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1061,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -142387,7 +142427,7 @@ index e720dcd..1c8d838 100644
##############################
#
# Local policy
-@@ -874,46 +1103,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1107,118 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -142473,26 +142513,25 @@ index e720dcd..1c8d838 100644
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ realmd_dbus_chat($1_t)
++ fprintd_dbus_chat($1_t)
')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++
++ optional_policy(`
++ realmd_dbus_chat($1_t)
++ ')
++ ')
++
++ optional_policy(`
+ policykit_role($1_r, $1_usertype)
+ ')
+
@@ -142500,9 +142539,10 @@ index e720dcd..1c8d838 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ rtkit_scheduled($1_usertype)
')
@@ -142519,7 +142559,7 @@ index e720dcd..1c8d838 100644
')
')
-@@ -948,27 +1249,33 @@ template(`userdom_unpriv_user_template', `
+@@ -948,27 +1253,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -142557,7 +142597,7 @@ index e720dcd..1c8d838 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -979,23 +1286,56 @@ template(`userdom_unpriv_user_template', `
+@@ -979,54 +1290,89 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -142581,20 +142621,45 @@ index e720dcd..1c8d838 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t, $1_r)
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ games_rw_data($1_usertype)
-+ ')
-+
+ ')
+-')
+
+-#######################################
+-## <summary>
+-## The template for creating an administrative user.
+-## </summary>
+-## <desc>
+-## <p>
+-## This template creates a user domain, types, and
+-## rules for the user's tty, pty, home directories,
+-## tmp, and tmpfs files.
+-## </p>
+-## <p>
+-## The privileges given to administrative users are:
+-## <ul>
+-## <li>Raw disk access</li>
+-## <li>Set all sysctls</li>
+-## <li>All kernel ring buffer controls</li>
+-## <li>Create, read, write, and delete all files but shadow</li>
+-## <li>Manage source and binary format SELinux policy</li>
+-## <li>Run insmod</li>
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -142614,28 +142679,48 @@ index e720dcd..1c8d838 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1004,7 +1344,9 @@ template(`userdom_unpriv_user_template', `
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
++ ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
- ')
- ')
-
-@@ -1040,7 +1382,7 @@ template(`userdom_unpriv_user_template', `
++ ')
++')
++
++#######################################
++## <summary>
++## The template for creating an administrative user.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## <p>
++## The privileges given to administrative users are:
++## <ul>
++## <li>Raw disk access</li>
++## <li>Set all sysctls</li>
++## <li>All kernel ring buffer controls</li>
++## <li>Create, read, write, and delete all files but shadow</li>
++## <li>Manage source and binary format SELinux policy</li>
++## <li>Run insmod</li>
+ ## </ul>
+ ## </p>
+ ## </desc>
+@@ -1040,7 +1386,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -142644,7 +142729,7 @@ index e720dcd..1c8d838 100644
')
##############################
-@@ -1067,6 +1409,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1413,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -142652,7 +142737,7 @@ index e720dcd..1c8d838 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1418,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1422,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -142662,7 +142747,7 @@ index e720dcd..1c8d838 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1439,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -142670,7 +142755,7 @@ index e720dcd..1c8d838 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1453,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1457,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -142685,7 +142770,7 @@ index e720dcd..1c8d838 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1471,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1475,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -142728,7 +142813,7 @@ index e720dcd..1c8d838 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1512,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1516,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -142737,7 +142822,7 @@ index e720dcd..1c8d838 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1159,13 +1521,17 @@ template(`userdom_admin_user_template',`
+@@ -1159,13 +1525,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -142756,7 +142841,7 @@ index e720dcd..1c8d838 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1577,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1581,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -142765,7 +142850,7 @@ index e720dcd..1c8d838 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1591,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1595,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -142777,7 +142862,7 @@ index e720dcd..1c8d838 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,29 +1605,31 @@ template(`userdom_security_admin_template',`
+@@ -1235,29 +1609,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -142820,7 +142905,7 @@ index e720dcd..1c8d838 100644
')
optional_policy(`
-@@ -1317,12 +1689,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1693,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -142837,7 +142922,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1363,6 +1738,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,6 +1742,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -142889,7 +142974,7 @@ index e720dcd..1c8d838 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1467,11 +1887,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1891,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -142921,7 +143006,7 @@ index e720dcd..1c8d838 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1953,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1957,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -142936,7 +143021,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1528,9 +1976,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1980,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -142948,7 +143033,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1587,6 +2037,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2041,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -142991,7 +143076,7 @@ index e720dcd..1c8d838 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2152,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2156,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -143000,7 +143085,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1680,10 +2168,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2172,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -143015,7 +143100,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1726,6 +2216,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2220,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -143059,7 +143144,7 @@ index e720dcd..1c8d838 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2272,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2276,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -143085,7 +143170,7 @@ index e720dcd..1c8d838 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2321,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2325,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -143123,7 +143208,7 @@ index e720dcd..1c8d838 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2361,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2365,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -143141,29 +143226,83 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -1856,6 +2427,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,25 +2431,25 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
+-## Do not audit attempts to write user home files.
+## Delete all files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
+interface(`userdom_delete_all_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- type user_home_t;
+ attribute user_home_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 user_home_t:file relabel_file_perms;
+ allow $1 user_home_type:file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read user home subdirectory symbolic links.
++## Delete sock files in a user home subdirectory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1882,46 +2457,53 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ type user_home_t;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 user_home_t:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute user home files.
++## Delete all sock files in a user home subdirectory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_type:sock_file delete_file_perms;
+')
-+
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+########################################
+## <summary>
-+## Delete sock files in a user home subdirectory.
++## Delete all files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -143171,92 +143310,115 @@ index e720dcd..1c8d838 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_user_home_content_sock_files',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
-+ type user_home_t;
++ attribute user_home_type;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to execute user home files.
++## Do not audit attempts to write user home files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1929,18 +2511,17 @@ interface(`userdom_exec_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_exec_user_home_content_files',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+- dontaudit $1 user_home_t:file exec_file_perms;
++ dontaudit $1 user_home_t:file relabel_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files
+-## in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1948,7 +2529,66 @@ interface(`userdom_dontaudit_exec_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_manage_user_home_content_files',`
++interface(`userdom_read_user_home_content_symlinks',`
++ gen_require(`
++ type user_home_dir_t, user_home_t;
+ ')
+
-+ allow $1 user_home_t:sock_file delete_file_perms;
++ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all sock files in a user home subdirectory.
++## Execute user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`userdom_delete_all_user_home_content_sock_files',`
++interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
++ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
-+ allow $1 user_home_type:sock_file delete_file_perms;
-+')
++ files_search_home($1)
++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ dontaudit $1 user_home_type:sock_file execute;
++ ')
+
+########################################
+## <summary>
-+## Delete all files in a user home subdirectory.
++## Do not audit attempts to execute user home files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_all_user_home_content',`
++interface(`userdom_dontaudit_exec_user_home_content_files',`
+ gen_require(`
-+ attribute user_home_type;
++ type user_home_t;
+ ')
+
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
++ dontaudit $1 user_home_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to write user home files.
- ## </summary>
- ## <param name="domain">
-@@ -1887,8 +2530,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
- ')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
-+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -1904,21 +2546,15 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
++## Create, read, write, and delete files
++## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_user_home_content_files',`
gen_require(`
-- type user_home_dir_t, user_home_t;
-+ type user_home_dir_t;
-+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+ dontaudit $1 user_home_type:sock_file execute;
+ type user_home_dir_t, user_home_t;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
--')
--
- ########################################
- ## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2018,6 +2654,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2658,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -143281,7 +143443,7 @@ index e720dcd..1c8d838 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2904,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2908,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -143296,7 +143458,7 @@ index e720dcd..1c8d838 100644
files_search_tmp($1)
')
-@@ -2274,7 +2928,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2932,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -143305,18 +143467,15 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -2521,12 +3175,31 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3179,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
--########################################
+#######################################
- ## <summary>
--## Read user tmpfs files.
++## <summary>
+## Getattr user tmpfs files.
- ## </summary>
- ## <param name="domain">
--## <summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -143331,16 +143490,10 @@ index e720dcd..1c8d838 100644
+ fs_search_tmpfs($1)
+')
+
-+########################################
-+## <summary>
-+## Read user tmpfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-@@ -2537,13 +3210,14 @@ interface(`userdom_read_user_tmpfs_files',`
+ ########################################
+ ## <summary>
+ ## Read user tmpfs files.
+@@ -2537,13 +3214,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -143356,7 +143509,7 @@ index e720dcd..1c8d838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3238,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3242,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -143365,7 +143518,7 @@ index e720dcd..1c8d838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,14 +3246,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,14 +3250,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -143400,7 +143553,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -2674,6 +3364,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3368,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -143425,7 +143578,7 @@ index e720dcd..1c8d838 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3400,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3404,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -143468,7 +143621,7 @@ index e720dcd..1c8d838 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3436,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3440,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -143506,7 +143659,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -2742,8 +3481,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3485,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -143536,7 +143689,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -2815,69 +3573,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3577,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -143637,7 +143790,7 @@ index e720dcd..1c8d838 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3642,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3646,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -143652,7 +143805,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -2954,7 +3711,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3715,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -143661,7 +143814,7 @@ index e720dcd..1c8d838 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3727,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3731,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -143695,7 +143848,7 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -3074,7 +3815,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3819,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -143704,71 +143857,146 @@ index e720dcd..1c8d838 100644
')
########################################
-@@ -3129,7 +3870,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,12 +3874,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use user ttys.
++## Do not audit attempts to write users
++## temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3142,54 +3888,54 @@ interface(`userdom_write_user_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all user domains.
++## Do not audit attempts to use user ttys.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+- attribute userdomain;
++ type user_tty_device_t;
+ ')
+
+- allow $1 userdomain:process getattr;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Inherit the file descriptors from all user domains
++## Read the process state of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3197,12 +3943,50 @@ interface(`userdom_getattr_all_users',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_use_all_users_fds',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:fd use;
++ read_files_pattern($1, userdomain, userdomain)
++ read_lnk_files_pattern($1,userdomain,userdomain)
++ kernel_search_proc($1)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to write users
-+## temporary files.
++## Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_getattr_all_users',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_use_all_users_fds',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -3147,7 +3926,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++ allow $1 userdomain:fd use;
')
########################################
-@@ -3166,6 +3945,7 @@ interface(`userdom_read_all_users_state',`
- ')
-
- read_files_pattern($1, userdomain, userdomain)
-+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3242,6 +4022,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4026,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -143811,7 +144039,7 @@ index e720dcd..1c8d838 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4078,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4082,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -143836,7 +144064,7 @@ index e720dcd..1c8d838 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4130,1361 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4134,1361 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -145199,10 +145427,10 @@ index e720dcd..1c8d838 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 6a4bd85..662afd7 100644
+index 6a4bd85..a8337e2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,31 +7,17 @@ policy_module(userdomain, 4.8.0)
+@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.0)
## <desc>
## <p>
@@ -145219,46 +145447,50 @@ index 6a4bd85..662afd7 100644
## </p>
## </desc>
-gen_tunable(allow_user_postgresql_connect, false)
--
--## <desc>
--## <p>
--## Allow regular users direct mouse access
--## </p>
--## </desc>
--gen_tunable(user_direct_mouse, false)
--
--## <desc>
--## <p>
--## Allow users to read system messages.
--## </p>
--## </desc>
--gen_tunable(user_dmesg, false)
+gen_tunable(selinuxuser_postgresql_connect_enabled, false)
## <desc>
## <p>
-@@ -39,16 +25,17 @@ gen_tunable(user_dmesg, false)
- ## that do not have extended attributes (FAT, CDROM, FLOPPY)
+-## Allow regular users direct mouse access
++## Allow user to r/w files on filesystems
++## that do not have extended attributes (FAT, CDROM, FLOPPY)
## </p>
## </desc>
--gen_tunable(user_rw_noexattrfile, false)
+-gen_tunable(user_direct_mouse, false)
+gen_tunable(selinuxuser_rw_noexattrfile, false)
## <desc>
## <p>
--## Allow w to display everyone
+-## Allow users to read system messages.
+## Allow user music sharing
## </p>
## </desc>
--gen_tunable(user_ttyfile_stat, false)
+-gen_tunable(user_dmesg, false)
+gen_tunable(selinuxuser_user_share_music, false)
+ ## <desc>
+ ## <p>
+-## Allow user to r/w files on filesystems
+-## that do not have extended attributes (FAT, CDROM, FLOPPY)
++## Allow user to use ssh chroot environment.
+ ## </p>
+ ## </desc>
+-gen_tunable(user_rw_noexattrfile, false)
+-
+-## <desc>
+-## <p>
+-## Allow w to display everyone
+-## </p>
+-## </desc>
+-gen_tunable(user_ttyfile_stat, false)
++gen_tunable(selinuxuser_use_ssh_chroot, false)
+
attribute admindomain;
+attribute login_userdomain;
# all user domains
attribute userdomain;
-@@ -59,6 +46,22 @@ attribute unpriv_userdomain;
+@@ -59,6 +53,22 @@ attribute unpriv_userdomain;
attribute untrusted_content_type;
attribute untrusted_content_tmp_type;
@@ -145281,7 +145513,7 @@ index 6a4bd85..662afd7 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +74,121 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +81,121 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 10b8b78..da794df 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -5919,7 +5919,7 @@ index dc687e6..e0255eb 100644
# /usr
#
diff --git a/bluetooth.if b/bluetooth.if
-index 3e45431..e1eee58 100644
+index 3e45431..758bd64 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -27,7 +27,11 @@ interface(`bluetooth_role',`
@@ -6032,7 +6032,7 @@ index 3e45431..e1eee58 100644
- type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
- type bluetooth_conf_t, bluetooth_conf_rw_t;
- type bluetooth_initrc_exec_t;
-+ type bluetooth_t, bluetooth_lock_t;
++ type bluetooth_t, bluetooth_lock_t, bluetooth_spool_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_tmp_t;
+ type bluetooth_unit_file_t;
@@ -15473,7 +15473,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..90ad9da 100644
+index 625cb32..c273500 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15516,7 +15516,7 @@ index 625cb32..90ad9da 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -83,6 +86,8 @@ kernel_read_kernel_sysctls(system_dbusd_t)
+@@ -83,11 +86,15 @@ kernel_read_kernel_sysctls(system_dbusd_t)
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
@@ -15525,7 +15525,14 @@ index 625cb32..90ad9da 100644
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-@@ -110,22 +115,25 @@ auth_read_pam_console_data(system_dbusd_t)
+ fs_dontaudit_list_nfs(system_dbusd_t)
+
++storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++
+ mls_fd_use_all_levels(system_dbusd_t)
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+@@ -110,22 +117,25 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -15553,7 +15560,7 @@ index 625cb32..90ad9da 100644
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
-@@ -135,11 +143,35 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +145,35 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -15589,7 +15596,7 @@ index 625cb32..90ad9da 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +182,162 @@ optional_policy(`
+@@ -150,12 +184,162 @@ optional_policy(`
')
optional_policy(`
@@ -20049,10 +20056,10 @@ index f590a1f..b1b13b0 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/fail2ban.te b/fail2ban.te
-index 2a69e5e..5dccf2c 100644
+index 2a69e5e..60cf17f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
-@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
+@@ -23,20 +23,27 @@ files_type(fail2ban_var_lib_t)
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -20070,11 +20077,12 @@ index 2a69e5e..5dccf2c 100644
#
-allow fail2ban_t self:capability { sys_tty_config };
-+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
- allow fail2ban_t self:process signal;
+-allow fail2ban_t self:process signal;
++allow fail2ban_t self:capability { dac_read_search dac_override sys_nice sys_tty_config };
++allow fail2ban_t self:process { setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
# log files
@@ -28756,16 +28764,17 @@ index 6a95faf..0cea063 100644
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
-index 835b16b..8a98c76 100644
+index 835b16b..5992eb1 100644
--- a/kerneloops.if
+++ b/kerneloops.if
-@@ -99,17 +99,20 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -99,17 +99,21 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
++ type kerneloops_initrc_exec_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -54614,10 +54623,10 @@ index 0000000..8b505d5
+')
diff --git a/rngd.te b/rngd.te
new file mode 100644
-index 0000000..bbd9fbc
+index 0000000..243ecf9
--- /dev/null
+++ b/rngd.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,39 @@
+policy_module(rngd, 1.0.0)
+
+########################################
@@ -54645,6 +54654,8 @@ index 0000000..bbd9fbc
+allow rngd_t self:fifo_file rw_fifo_file_perms;
+allow rngd_t self:unix_stream_socket create_stream_socket_perms;
+
++kernel_read_kernel_sysctls(rngd_t)
++
+dev_read_rand(rngd_t)
+dev_read_urand(rngd_t)
+dev_rw_tpm(rngd_t)
@@ -58580,7 +58591,7 @@ index cfe3172..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..dc256a5 100644
+index e02eb6c..10958ba 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -58642,7 +58653,7 @@ index e02eb6c..dc256a5 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,36 +69,49 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -58,36 +69,50 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
@@ -58651,6 +58662,7 @@ index e02eb6c..dc256a5 100644
domain_use_interactive_fds(sanlock_t)
-files_read_etc_files(sanlock_t)
++files_read_mnt_symlinks(sanlock_t)
storage_raw_rw_fixed_disk(sanlock_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e7f0b9d..a5db371 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -522,6 +522,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-45
+- Add new selinuxuser_use_ssh_chroot boolean
+- dbus needs to be able to read/write inherited fixed disk device_t passed through it
+- Cleanup netutils process allow rule
+- Dontaudit leaked fifo files from openshift to ping
+- sanlock needs to read mnt_t lnk files
+- Fail2ban needs to setsched and sys_nice
+
* Wed Oct 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-44
- Change default label of all files in /var/run/rpcbind
- Allow sandbox domains (java) to read hugetlbfs_t
More information about the scm-commits
mailing list