[selinux-policy/f19] * Wed May 02 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.26 - Update sandbox_transition() to c
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 7 14:39:33 UTC 2014
commit 98a84b417b02e44137fd678003b4ddc39315c60a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed May 7 16:39:47 2014 +0200
* Wed May 02 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.26
- Update sandbox_transition() to call sandbox_dyntrasition().
policy-f19-base.patch | 720 ++++++++++++++++++++++++----------------------
policy-f19-contrib.patch | 61 +++-
selinux-policy.spec | 5 +-
3 files changed, 422 insertions(+), 364 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index af4d7ad..2613303 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -3244,7 +3244,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..6e7dd83 100644
+index 644d4d7..ad789c2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3556,7 +3556,7 @@ index 644d4d7..6e7dd83 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +458,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3566,6 +3566,7 @@ index 644d4d7..6e7dd83 100644
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0)
+/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3573,7 +3574,7 @@ index 644d4d7..6e7dd83 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +477,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -32416,7 +32417,7 @@ index 9933677..ca14c17 100644
+
+/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..23bbbf2 100644
+index 7449974..4f4ac3a 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -32498,32 +32499,7 @@ index 7449974..23bbbf2 100644
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
-@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
- can_exec($1, insmod_exec_t)
- ')
-
-+#######################################
-+## <summary>
-+## Don't audit execute insmod in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`modutils_dontaudit_exec_insmod',`
-+ gen_require(`
-+ type insmod_exec_t;
-+ ')
-+
-+ dontaudit $1 insmod_exec_t:file exec_file_perms;
-+')
-+
- ########################################
- ## <summary>
- ## Execute depmod in the depmod domain.
-@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',`
#
interface(`modutils_run_update_mods',`
gen_require(`
@@ -32544,7 +32520,7 @@ index 7449974..23bbbf2 100644
')
########################################
-@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
@@ -35253,7 +35229,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..a76e22c 100644
+index 6944526..0bd8d93 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35528,7 +35504,7 @@ index 6944526..a76e22c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,114 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -35581,24 +35557,6 @@ index 6944526..a76e22c 100644
+
+########################################
+## <summary>
-+## Transition to sysnet ifconfig named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sysnet_filetrans_named_content_ifconfig',`
-+ gen_require(`
-+ type ifconfig_var_run_t;
-+ ')
-+
-+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
-+')
-+
-+########################################
-+## <summary>
+## Transition to sysnet named content
+## </summary>
+## <param name="domain">
@@ -35623,26 +35581,6 @@ index 6944526..a76e22c 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
-+
-+########################################
-+## <summary>
-+## Transition to sysnet ifconfig named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sysnet_manage_ifconfig_run',`
-+ gen_require(`
-+ type ifconfig_var_run_t;
-+ ')
-+
-+ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b7686d5..087fe08 100644
--- a/policy/modules/system/sysnetwork.te
@@ -39441,7 +39379,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..a44c781 100644
+index 3c5dba7..0aa6db0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40078,7 +40016,7 @@ index 3c5dba7..a44c781 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,124 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -40191,6 +40129,10 @@ index 3c5dba7..a44c781 100644
+ kde_dbus_chat_backlighthelper($1_usertype)
+ ')
+
++ optional_policy(`
++ memcached_stream_connect($1_usertype)
++ ')
++
+ optional_policy(`
+ modemmanager_dbus_chat($1_usertype)
+ ')
@@ -40237,7 +40179,7 @@ index 3c5dba7..a44c781 100644
')
optional_policy(`
-@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +814,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -40266,7 +40208,7 @@ index 3c5dba7..a44c781 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +841,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -40275,7 +40217,7 @@ index 3c5dba7..a44c781 100644
')
optional_policy(`
-@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +850,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -40288,7 +40230,7 @@ index 3c5dba7..a44c781 100644
')
')
-@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +863,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -40335,7 +40277,7 @@ index 3c5dba7..a44c781 100644
')
')
-@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +916,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -40373,7 +40315,7 @@ index 3c5dba7..a44c781 100644
userdom_change_password_template($1)
-@@ -761,82 +946,101 @@ template(`userdom_login_user_template', `
+@@ -761,82 +950,101 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40511,7 +40453,7 @@ index 3c5dba7..a44c781 100644
')
')
-@@ -868,6 +1072,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1076,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40524,7 +40466,7 @@ index 3c5dba7..a44c781 100644
##############################
#
# Local policy
-@@ -907,42 +1117,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1121,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40613,31 +40555,31 @@ index 3c5dba7..a44c781 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
')
optional_policy(`
- gnome_role_template($1, $1_r, $1_t)
++ fprintd_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ realmd_dbus_chat($1_t)
')
optional_policy(`
-@@ -951,12 +1218,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1222,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40668,7 +40610,7 @@ index 3c5dba7..a44c781 100644
')
#######################################
-@@ -990,27 +1274,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1278,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40706,7 +40648,7 @@ index 3c5dba7..a44c781 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1311,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,55 +1315,94 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40732,20 +40674,46 @@ index 3c5dba7..a44c781 100644
+
+ tunable_policy(`selinuxuser_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ cdrecord_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t, $1_r)
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ games_rw_data($1_usertype)
-+ ')
-+
+ ')
+-')
+
+-#######################################
+-## <summary>
+-## The template for creating an administrative user.
+-## </summary>
+-## <desc>
+-## <p>
+-## This template creates a user domain, types, and
+-## rules for the user's tty, pty, home directories,
+-## tmp, and tmpfs files.
+-## </p>
+-## <p>
+-## The privileges given to administrative users are:
+-## <ul>
+-## <li>Raw disk access</li>
+-## <li>Set all sysctls</li>
+-## <li>All kernel ring buffer controls</li>
+-## <li>Create, read, write, and delete all files but shadow</li>
+-## <li>Manage source and binary format SELinux policy</li>
+-## <li>Run insmod</li>
+-## </ul>
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
@@ -40767,28 +40735,49 @@ index 3c5dba7..a44c781 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
- ')
-
- # Run pppd in pppd_t by default for user
-@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
++ ppp_run_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ vdagent_getattr_log($1_t)
+ vdagent_getattr_exec_files($1_t)
+ vdagent_stream_connect($1_t)
- ')
- ')
-
-@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
++ ')
++')
++
++#######################################
++## <summary>
++## The template for creating an administrative user.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user domain, types, and
++## rules for the user's tty, pty, home directories,
++## tmp, and tmpfs files.
++## </p>
++## <p>
++## The privileges given to administrative users are:
++## <ul>
++## <li>Raw disk access</li>
++## <li>Set all sysctls</li>
++## <li>All kernel ring buffer controls</li>
++## <li>Create, read, write, and delete all files but shadow</li>
++## <li>Manage source and binary format SELinux policy</li>
++## <li>Run insmod</li>
++## </ul>
+ ## </p>
+ ## </desc>
+ ## <param name="userdomain_prefix">
+@@ -1082,7 +1415,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40797,7 +40786,7 @@ index 3c5dba7..a44c781 100644
')
##############################
-@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1442,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40805,7 +40794,7 @@ index 3c5dba7..a44c781 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1451,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40815,7 +40804,7 @@ index 3c5dba7..a44c781 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1468,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40823,7 +40812,7 @@ index 3c5dba7..a44c781 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1486,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40838,7 +40827,7 @@ index 3c5dba7..a44c781 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1500,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1504,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40881,7 +40870,7 @@ index 3c5dba7..a44c781 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1545,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40890,7 +40879,7 @@ index 3c5dba7..a44c781 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1554,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40909,7 +40898,7 @@ index 3c5dba7..a44c781 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1610,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40918,7 +40907,7 @@ index 3c5dba7..a44c781 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1624,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40930,7 +40919,7 @@ index 3c5dba7..a44c781 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1638,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40973,7 +40962,7 @@ index 3c5dba7..a44c781 100644
')
optional_policy(`
-@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1723,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40992,7 +40981,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1774,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -41044,7 +41033,7 @@ index 3c5dba7..a44c781 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1923,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41076,7 +41065,7 @@ index 3c5dba7..a44c781 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1989,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -41091,7 +41080,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2012,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -41103,7 +41092,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2073,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -41146,7 +41135,7 @@ index 3c5dba7..a44c781 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2188,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41155,7 +41144,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2223,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -41170,7 +41159,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1772,7 +2249,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2253,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -41197,7 +41186,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,49 +2277,67 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,49 +2281,67 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41277,7 +41266,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1848,6 +2361,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2365,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -41303,7 +41292,7 @@ index 3c5dba7..a44c781 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2410,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2414,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41341,7 +41330,7 @@ index 3c5dba7..a44c781 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2450,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2454,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41359,89 +41348,148 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -1941,7 +2498,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2502,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
-## Delete all user home content files.
+## Delete files in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1949,19 +2510,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_delete_all_user_home_content_files',`
+interface(`userdom_delete_user_home_content_files',`
-+ gen_require(`
+ gen_require(`
+- attribute user_home_content_type;
+- type user_home_dir_t;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- userdom_search_user_home_content($1)
+- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+ allow $1 user_home_t:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete files in a user home subdirectory.
+## Delete all files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1951,17 +2526,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1969,35 +2528,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ## </summary>
+ ## </param>
#
- interface(`userdom_delete_all_user_home_content_files',`
+-interface(`userdom_delete_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
-- attribute user_home_content_type;
-- type user_home_dir_t;
+- type user_home_t;
+ attribute user_home_type;
')
-- userdom_search_user_home_content($1)
-- delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+- allow $1 user_home_t:file delete_file_perms;
+ allow $1 user_home_type:file delete_file_perms;
')
########################################
## <summary>
--## Delete files in a user home subdirectory.
+-## Do not audit attempts to write user home files.
+## Delete sock files in a user home subdirectory.
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,12 +2542,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`userdom_delete_user_home_content_files',`
+-interface(`userdom_dontaudit_relabel_user_home_content_files',`
+interface(`userdom_delete_user_home_content_sock_files',`
gen_require(`
type user_home_t;
')
-- allow $1 user_home_t:file delete_file_perms;
+- dontaudit $1 user_home_t:file relabel_file_perms;
+ allow $1 user_home_t:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read user home subdirectory symbolic links.
++## Delete all sock files in a user home subdirectory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2005,45 +2564,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- files_search_home($1)
++ allow $1 user_home_type:sock_file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute user home files.
++## Delete all files in a user home subdirectory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
+ gen_require(`
+- type user_home_dir_t, user_home_t;
++ attribute user_home_type;
+ ')
+
+- files_search_home($1)
+- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ allow $1 user_home_type:dir_file_class_set delete_file_perms;
+')
-+
+
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_exec_nfs_files($1)
+########################################
+## <summary>
-+## Delete all sock files in a user home subdirectory.
++## Do not audit attempts to write user home files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_all_user_home_content_sock_files',`
++interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:sock_file delete_file_perms;
++ type user_home_t;
+ ')
+
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
++ dontaudit $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all files in a user home subdirectory.
++## Read user home subdirectory symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -41449,51 +41497,42 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_all_user_home_content',`
++interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
-+ attribute user_home_type;
-+ ')
-+
-+ allow $1 user_home_type:dir_file_class_set delete_file_perms;
- ')
-
- ########################################
-@@ -2010,8 +2619,7 @@ interface(`userdom_read_user_home_content_symlinks',`
- type user_home_dir_t, user_home_t;
++ type user_home_dir_t, user_home_t;
')
-
-- read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-- files_search_home($1)
++
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
')
########################################
-@@ -2027,20 +2635,14 @@ interface(`userdom_read_user_home_content_symlinks',`
- #
- interface(`userdom_exec_user_home_content_files',`
- gen_require(`
-- type user_home_dir_t, user_home_t;
+ ## <summary>
++## Execute user home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_exec_user_home_content_files',`
++ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
-
- files_search_home($1)
-- exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--
-- tunable_policy(`use_nfs_home_dirs',`
-- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
++ ')
++
++ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
- ')
--')
-
- ########################################
- ## <summary>
-@@ -2123,7 +2725,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
++ ')
++
++########################################
++## <summary>
+ ## Do not audit attempts to execute user home files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2123,7 +2729,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -41502,7 +41541,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2733,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2737,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41526,7 +41565,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2751,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2755,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -41542,7 +41581,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2393,11 +2993,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2997,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41557,7 +41596,7 @@ index 3c5dba7..a44c781 100644
files_search_tmp($1)
')
-@@ -2417,7 +3017,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3021,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41566,7 +41605,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2664,6 +3264,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3268,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41592,7 +41631,7 @@ index 3c5dba7..a44c781 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3299,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3303,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41608,7 +41647,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3327,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3331,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -41617,7 +41656,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3335,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3339,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -41652,7 +41691,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2817,6 +3453,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3457,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -41677,7 +41716,7 @@ index 3c5dba7..a44c781 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3489,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3493,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -41720,7 +41759,7 @@ index 3c5dba7..a44c781 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3525,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3529,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -41758,7 +41797,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2885,8 +3570,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3574,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41788,7 +41827,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -2958,69 +3662,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3666,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41889,7 +41928,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3731,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3735,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -41904,7 +41943,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3097,7 +3800,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3804,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41913,7 +41952,7 @@ index 3c5dba7..a44c781 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3816,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3820,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41947,7 +41986,7 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3217,7 +3904,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3908,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41974,18 +42013,67 @@ index 3c5dba7..a44c781 100644
')
########################################
-@@ -3272,7 +3977,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +3981,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to use user ttys.
+## Do not audit attempts to write users
+## temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3285,36 +3995,112 @@ interface(`userdom_write_user_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ dontaudit $1 user_tmp_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read the process state of all user domains.
++## Do not audit attempts to delete users
++## temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ gen_require(`
+- attribute userdomain;
++ type user_tmp_t;
+ ')
+
+- read_files_pattern($1, userdomain, userdomain)
+- kernel_search_proc($1)
++ dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of all user domains.
++## Do not audit attempts to read/write users
++## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -41993,37 +42081,36 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:file write;
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to delete users
-+## temporary files.
++## Allow domain to read/write inherited users
++## fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
++interface(`userdom_rw_inherited_user_pipes',`
+ gen_require(`
-+ type user_tmp_t;
++ attribute userdomain;
+ ')
+
-+ dontaudit $1 user_tmp_t:file delete_file_perms;
++ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42031,18 +42118,17 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
-+ type user_tmp_t;
++ type user_tty_device_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42050,108 +42136,47 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
-@@ -3290,7 +4071,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
- type user_tty_device_t;
- ')
-
-- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -3309,6 +4090,7 @@ interface(`userdom_read_all_users_state',`
- ')
-
- read_files_pattern($1, userdomain, userdomain)
++ read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -3385,27 +4167,27 @@ interface(`userdom_signal_all_users',`
++ kernel_search_proc($1)
++')
++
++########################################
++## <summary>
++## Get the attributes of all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3385,6 +4171,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
--########################################
+#######################################
- ## <summary>
--## Send a SIGCHLD signal to all user domains.
++## <summary>
+## Send signull to all user domains.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`userdom_sigchld_all_users',`
-- gen_require(`
-- attribute userdomain;
-- ')
++## </param>
++#
+interface(`userdom_signull_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
-
-- allow $1 userdomain:process sigchld;
-+ allow $1 userdomain:process signull;
- ')
-
- ########################################
- ## <summary>
--## Create keys for all user domains.
-+## Send kill signals to all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3413,17 +4195,17 @@ interface(`userdom_sigchld_all_users',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_create_all_users_keys',`
-+interface(`userdom_kill_all_users',`
- gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:key create;
-+ allow $1 userdomain:process sigkill;
- ')
-
- ########################################
- ## <summary>
--## Send a dbus message to all user domains.
-+## Send a SIGCHLD signal to all user domains.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_dbus_send_all_users',`
-+interface(`userdom_sigchld_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
+
-+ allow $1 userdomain:process sigchld;
++ allow $1 userdomain:process signull;
+')
+
+########################################
+## <summary>
-+## Read keys for all user domains.
++## Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42159,17 +42184,22 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_kill_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:key read;
++ allow $1 userdomain:process sigkill;
+')
+
-+########################################
-+## <summary>
-+## Create keys for all user domains.
+ ########################################
+ ## <summary>
+ ## Send a SIGCHLD signal to all user domains.
+@@ -3405,6 +4227,24 @@ interface(`userdom_sigchld_all_users',`
+
+ ########################################
+ ## <summary>
++## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -42177,28 +42207,20 @@ index 3c5dba7..a44c781 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_create_all_users_keys',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
-+ allow $1 userdomain:key create;
++ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
-+## Send a dbus message to all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_dbus_send_all_users',`
- gen_require(`
- attribute userdomain;
- class dbus send_msg;
+ ## Create keys for all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3438,4 +4278,1491 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index d1644f4..79ba43c 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -8235,10 +8235,10 @@ index 536ec3c..271b976 100644
-
-miscfiles_read_localization(bcfg2_t)
diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..838a9a1 100644
--- a/bind.fc
+++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,72 @@
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -8336,6 +8336,7 @@ index 2b9a3a1..1742ebf 100644
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -78096,10 +78097,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..577dfa7
+index 0000000..a2cb772
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,85 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -78124,12 +78125,42 @@ index 0000000..577dfa7
+ attribute sandbox_domain;
+ ')
+
-+ allow $1 sandbox_domain:process transition;
-+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-+ role $2 types sandbox_domain;
-+ allow sandbox_domain $1:process { sigchld signull };
-+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit sandbox_domain $1:process signal;
++ sandbox_dyntransition($1) #885288
++ allow $1 sandbox_domain:process transition;
++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++
++ role $2 types sandbox_domain;
++
++ allow sandbox_domain $1:process { sigchld signull };
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++
++ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++## <summary>
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++#
++interface(`sandbox_dyntransition',`
++ gen_require(`
++ attribute sandbox_domain;
++ ')
++
++ allow $1 sandbox_domain:process dyntransition;
+')
+
+########################################
@@ -90823,7 +90854,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..f50c3ff 100644
+index 9d4d8cb..a58e2dd 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -90835,7 +90866,7 @@ index 9d4d8cb..f50c3ff 100644
type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)
type varnishlog_log_t;
@@ -90844,9 +90875,11 @@ index 9d4d8cb..f50c3ff 100644
########################################
#
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ # Local policy
+ #
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c8d5ead..f2f6ca7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.25%{?dist}
+Release: 74.26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 02 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.26
+- Update sandbox_transition() to call sandbox_dyntrasition().
+
* Fri May 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.25
- Add interface sysnet_manage_ifconfig_run
- Added sysnet_filetrans_named_content_ifconfig interface
More information about the scm-commits
mailing list