lvrabec pushed to selinux-policy (f22). "* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-120 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Mar 30 18:11:31 UTC 2015
>From 5d36f17b4369ffe6ee53a818ff8f811900c9eda5 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon, 30 Mar 2015 20:11:14 +0200
Subject: * Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-120 -
Allow kmscon to read system state. BZ (1206871) - Allow plymouthd to open
usbttys. BZ(1202429) - apmd needs sys_resource when shutting down the machine
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985) - Use enable_mls
instead of enabled_mls. - Allow a user to login with different security level
via ssh.
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index cc9b3cf..066b881 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -23206,10 +23206,10 @@ index fe0c682..3ad1b1f 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7..46e1c3e 100644
+index cc877c7..1cd66c2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
+@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
#
## <desc>
@@ -23270,6 +23270,7 @@ index cc877c7..46e1c3e 100644
init_daemon_domain(sshd_t, sshd_exec_t)
+mls_trusted_object(sshd_t)
+mls_process_write_all_levels(sshd_t)
++mls_dbus_send_all_levels(sshd_t)
+
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
@@ -23292,7 +23293,7 @@ index cc877c7..46e1c3e 100644
type ssh_t;
type ssh_exec_t;
-@@ -67,15 +92,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -23313,7 +23314,7 @@ index cc877c7..46e1c3e 100644
##############################
#
-@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -23321,7 +23322,7 @@ index cc877c7..46e1c3e 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -93,50 +121,55 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,50 +122,55 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -23388,7 +23389,7 @@ index cc877c7..46e1c3e 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -157,40 +190,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +191,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -23454,7 +23455,7 @@ index cc877c7..46e1c3e 100644
')
optional_policy(`
-@@ -198,6 +237,7 @@ optional_policy(`
+@@ -198,6 +238,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -23462,7 +23463,7 @@ index cc877c7..46e1c3e 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +250,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -23470,7 +23471,7 @@ index cc877c7..46e1c3e 100644
files_read_etc_files(ssh_keysign_t)
-@@ -226,39 +267,58 @@ optional_policy(`
+@@ -226,39 +268,58 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -23541,7 +23542,7 @@ index cc877c7..46e1c3e 100644
')
optional_policy(`
-@@ -266,6 +326,15 @@ optional_policy(`
+@@ -266,6 +327,15 @@ optional_policy(`
')
optional_policy(`
@@ -23557,7 +23558,7 @@ index cc877c7..46e1c3e 100644
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
-@@ -275,10 +344,26 @@ optional_policy(`
+@@ -275,10 +345,26 @@ optional_policy(`
')
optional_policy(`
@@ -23584,7 +23585,7 @@ index cc877c7..46e1c3e 100644
rpm_use_script_fds(sshd_t)
')
-@@ -289,13 +374,93 @@ optional_policy(`
+@@ -289,13 +375,93 @@ optional_policy(`
')
optional_policy(`
@@ -23678,7 +23679,7 @@ index cc877c7..46e1c3e 100644
########################################
#
# ssh_keygen local policy
-@@ -304,19 +469,33 @@ optional_policy(`
+@@ -304,19 +470,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -23713,7 +23714,7 @@ index cc877c7..46e1c3e 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -332,7 +511,9 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -332,7 +512,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
@@ -23723,7 +23724,7 @@ index cc877c7..46e1c3e 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -341,3 +522,148 @@ optional_policy(`
+@@ -341,3 +523,148 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -25775,7 +25776,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..07ff17c 100644
+index 8b40377..4f6e00b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -26416,7 +26417,7 @@ index 8b40377..07ff17c 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +687,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +687,159 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26464,6 +26465,10 @@ index 8b40377..07ff17c 100644
+userdom_filetrans_generic_home_content(xdm_t)
+
+optional_policy(`
++ colord_read_lib_files(xdm_t)
++')
++
++optional_policy(`
+ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
+')
+
@@ -26578,7 +26583,7 @@ index 8b40377..07ff17c 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +848,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +852,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -26610,7 +26615,7 @@ index 8b40377..07ff17c 100644
')
optional_policy(`
-@@ -517,9 +882,34 @@ optional_policy(`
+@@ -517,9 +886,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -26618,17 +26623,17 @@ index 8b40377..07ff17c 100644
+ optional_policy(`
+ accountsd_dbus_chat(xdm_t)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
-
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++
++ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -26646,7 +26651,7 @@ index 8b40377..07ff17c 100644
')
')
-@@ -530,6 +920,20 @@ optional_policy(`
+@@ -530,6 +924,20 @@ optional_policy(`
')
optional_policy(`
@@ -26667,7 +26672,7 @@ index 8b40377..07ff17c 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +951,78 @@ optional_policy(`
+@@ -547,28 +955,78 @@ optional_policy(`
')
optional_policy(`
@@ -26755,7 +26760,7 @@ index 8b40377..07ff17c 100644
')
optional_policy(`
-@@ -580,6 +1034,14 @@ optional_policy(`
+@@ -580,6 +1038,14 @@ optional_policy(`
')
optional_policy(`
@@ -26770,7 +26775,7 @@ index 8b40377..07ff17c 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1060,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26779,7 +26784,7 @@ index 8b40377..07ff17c 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1070,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26792,7 +26797,7 @@ index 8b40377..07ff17c 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1087,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26808,7 +26813,7 @@ index 8b40377..07ff17c 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1103,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -26819,7 +26824,7 @@ index 8b40377..07ff17c 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1118,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26856,7 +26861,7 @@ index 8b40377..07ff17c 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1164,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26888,7 +26893,7 @@ index 8b40377..07ff17c 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1197,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26903,7 +26908,7 @@ index 8b40377..07ff17c 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1214,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1218,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -26927,7 +26932,7 @@ index 8b40377..07ff17c 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1237,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -26936,7 +26941,7 @@ index 8b40377..07ff17c 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1277,50 @@ optional_policy(`
+@@ -785,17 +1281,50 @@ optional_policy(`
')
optional_policy(`
@@ -26989,7 +26994,7 @@ index 8b40377..07ff17c 100644
')
optional_policy(`
-@@ -803,6 +1328,10 @@ optional_policy(`
+@@ -803,6 +1332,10 @@ optional_policy(`
')
optional_policy(`
@@ -27000,7 +27005,7 @@ index 8b40377..07ff17c 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1347,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1351,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27025,7 +27030,7 @@ index 8b40377..07ff17c 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1370,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1374,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27060,7 +27065,7 @@ index 8b40377..07ff17c 100644
')
optional_policy(`
-@@ -912,7 +1435,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1439,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27069,7 +27074,7 @@ index 8b40377..07ff17c 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1489,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1493,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27101,7 +27106,7 @@ index 8b40377..07ff17c 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1535,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1539,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -29587,7 +29592,7 @@ index bc0ffc8..37b8ea5 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..6c7a9d9 100644
+index 79a45f6..ca8a198 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -30835,7 +30840,7 @@ index 79a45f6..6c7a9d9 100644
+ type init_t;
+ ')
+
-+ allow $1 init_t:tcp_socket { read write };
++ allow $1 init_t:tcp_socket { read write getattr };
+')
+
+########################################
@@ -41767,10 +41772,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3ebbad0
+index 0000000..b4916c2
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,706 @@
+@@ -0,0 +1,707 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41869,6 +41874,7 @@ index 0000000..3ebbad0
+
+mls_file_read_all_levels(systemd_logind_t)
+mls_file_write_all_levels(systemd_logind_t)
++mls_dbus_send_all_levels(systemd_logind_t)
+
+files_delete_tmpfs_files(systemd_logind_t)
+
@@ -43879,7 +43885,7 @@ index db75976..1ee08ec 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..d88f402 100644
+index 9dc60c6..6498859 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -43895,7 +43901,7 @@ index 9dc60c6..d88f402 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,132 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,133 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -44074,13 +44080,14 @@ index 9dc60c6..d88f402 100644
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
++ ssh_rw_dgram_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
+ ')
')
#######################################
-@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -44089,7 +44096,7 @@ index 9dc60c6..d88f402 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -44117,7 +44124,7 @@ index 9dc60c6..d88f402 100644
')
#######################################
-@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -44129,7 +44136,7 @@ index 9dc60c6..d88f402 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +268,46 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +269,46 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -44193,7 +44200,7 @@ index 9dc60c6..d88f402 100644
')
')
-@@ -273,6 +315,82 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +316,82 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -44276,7 +44283,7 @@ index 9dc60c6..d88f402 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +405,65 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +406,65 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -44347,7 +44354,7 @@ index 9dc60c6..d88f402 100644
')
#######################################
-@@ -317,11 +483,31 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -44379,7 +44386,7 @@ index 9dc60c6..d88f402 100644
## Role access for the user tmpfs type
## that the user has full access.
## </summary>
-@@ -347,60 +533,45 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,60 +534,45 @@ interface(`userdom_exec_user_tmp_files',`
## <rolecap/>
#
interface(`userdom_manage_tmpfs_role',`
@@ -44460,7 +44467,7 @@ index 9dc60c6..d88f402 100644
')
#######################################
-@@ -431,6 +602,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +603,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -44468,7 +44475,7 @@ index 9dc60c6..d88f402 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +635,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +636,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -44479,7 +44486,7 @@ index 9dc60c6..d88f402 100644
')
')
-@@ -491,51 +663,68 @@ template(`userdom_common_user_template',`
+@@ -491,51 +664,68 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -44562,8 +44569,8 @@ index 9dc60c6..d88f402 100644
+
- fs_rw_cgroup_files($1_t)
-+ ifdef(`enabled_mls',`
-+ init_rw_tcp_sockets($1_usertype)
++ ifdef(`enable_mls',`
++ init_rw_tcp_sockets($1_t)
+ ')
+
+ logging_send_syslog_msg($1_t)
@@ -44572,7 +44579,7 @@ index 9dc60c6..d88f402 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,93 +735,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +736,132 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -44743,7 +44750,7 @@ index 9dc60c6..d88f402 100644
')
optional_policy(`
-@@ -642,23 +870,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +871,21 @@ template(`userdom_common_user_template',`
optional_policy(`
mpd_manage_user_data_content($1_t)
mpd_relabel_user_data_content($1_t)
@@ -44772,7 +44779,7 @@ index 9dc60c6..d88f402 100644
mysql_stream_connect($1_t)
')
')
-@@ -671,7 +897,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +898,7 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -44781,7 +44788,7 @@ index 9dc60c6..d88f402 100644
')
optional_policy(`
-@@ -680,9 +906,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +907,9 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -44794,7 +44801,7 @@ index 9dc60c6..d88f402 100644
')
')
-@@ -693,32 +919,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +920,35 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -44841,7 +44848,7 @@ index 9dc60c6..d88f402 100644
')
')
-@@ -743,17 +972,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +973,32 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -44878,7 +44885,7 @@ index 9dc60c6..d88f402 100644
userdom_change_password_template($1)
-@@ -761,83 +1005,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +1006,107 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -45022,7 +45029,7 @@ index 9dc60c6..d88f402 100644
')
#######################################
-@@ -868,6 +1136,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1137,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -45035,7 +45042,7 @@ index 9dc60c6..d88f402 100644
##############################
#
# Local policy
-@@ -907,53 +1181,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1182,137 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -45191,7 +45198,7 @@ index 9dc60c6..d88f402 100644
')
#######################################
-@@ -987,27 +1345,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1346,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -45229,7 +45236,7 @@ index 9dc60c6..d88f402 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1018,23 +1382,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1383,63 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -45303,7 +45310,7 @@ index 9dc60c6..d88f402 100644
')
# Run pppd in pppd_t by default for user
-@@ -1043,7 +1447,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1448,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -45314,7 +45321,7 @@ index 9dc60c6..d88f402 100644
')
')
-@@ -1079,7 +1485,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1486,9 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -45325,7 +45332,7 @@ index 9dc60c6..d88f402 100644
')
##############################
-@@ -1095,6 +1503,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1504,7 @@ template(`userdom_admin_user_template',`
role system_r types $1_t;
typeattribute $1_t admindomain;
@@ -45333,7 +45340,7 @@ index 9dc60c6..d88f402 100644
ifdef(`direct_sysadm_daemon',`
domain_system_change_exemption($1_t)
-@@ -1105,14 +1514,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1515,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -45350,7 +45357,7 @@ index 9dc60c6..d88f402 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1128,6 +1531,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1532,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -45358,7 +45365,7 @@ index 9dc60c6..d88f402 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1145,10 +1549,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1550,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -45374,7 +45381,7 @@ index 9dc60c6..d88f402 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1159,29 +1568,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1569,40 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45419,7 +45426,7 @@ index 9dc60c6..d88f402 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1611,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1612,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -45428,7 +45435,7 @@ index 9dc60c6..d88f402 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1620,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1621,21 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -45451,7 +45458,7 @@ index 9dc60c6..d88f402 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1670,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1671,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -45460,7 +45467,7 @@ index 9dc60c6..d88f402 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1250,6 +1680,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1681,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45469,7 +45476,7 @@ index 9dc60c6..d88f402 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1262,8 +1694,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1695,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -45481,7 +45488,7 @@ index 9dc60c6..d88f402 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1274,29 +1708,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1709,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -45524,7 +45531,7 @@ index 9dc60c6..d88f402 100644
')
optional_policy(`
-@@ -1357,14 +1793,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1794,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -45543,7 +45550,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -1397,12 +1836,51 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1837,51 @@ interface(`userdom_user_tmp_file',`
## </param>
#
interface(`userdom_user_tmpfs_file',`
@@ -45596,7 +45603,7 @@ index 9dc60c6..d88f402 100644
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
## <param name="domain">
-@@ -1509,11 +1987,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1988,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45628,7 +45635,7 @@ index 9dc60c6..d88f402 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1555,6 +2053,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2054,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45643,7 +45650,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -1570,9 +2076,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2077,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45655,7 +45662,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -1613,6 +2121,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2122,24 @@ interface(`userdom_manage_user_home_dirs',`
########################################
## <summary>
@@ -45680,7 +45687,7 @@ index 9dc60c6..d88f402 100644
## Relabel to user home directories.
## </summary>
## <param name="domain">
-@@ -1629,6 +2155,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2156,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45723,7 +45730,7 @@ index 9dc60c6..d88f402 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1704,10 +2266,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2267,12 @@ interface(`userdom_user_home_domtrans',`
#
interface(`userdom_dontaudit_search_user_home_content',`
gen_require(`
@@ -45738,7 +45745,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -1741,10 +2305,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2306,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45753,7 +45760,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -1769,7 +2335,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2336,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -45762,7 +45769,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1777,19 +2343,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2344,17 @@ interface(`userdom_manage_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45786,7 +45793,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1797,55 +2361,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2362,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
## </summary>
## </param>
#
@@ -45857,7 +45864,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1853,18 +2417,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2418,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
## </summary>
## </param>
#
@@ -45885,7 +45892,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1872,41 +2437,178 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,41 +2438,178 @@ interface(`userdom_mmap_user_home_content_files',`
## </summary>
## </param>
#
@@ -46079,7 +46086,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## </param>
#
-@@ -1938,7 +2640,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2641,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -46088,7 +46095,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,10 +2648,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2649,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -46101,7 +46108,7 @@ index 9dc60c6..d88f402 100644
')
userdom_search_user_home_content($1)
-@@ -1958,7 +2659,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2660,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@@ -46110,7 +46117,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1966,12 +2667,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2668,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -46179,7 +46186,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2007,8 +2762,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2763,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -46189,7 +46196,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2024,20 +2778,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2779,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -46214,7 +46221,7 @@ index 9dc60c6..d88f402 100644
########################################
## <summary>
-@@ -2120,7 +2868,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2869,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -46223,7 +46230,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2128,19 +2876,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2877,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46247,7 +46254,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2148,12 +2894,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2895,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -46263,7 +46270,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2388,18 +3134,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3135,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
## </summary>
## </param>
#
@@ -46321,7 +46328,7 @@ index 9dc60c6..d88f402 100644
## Do not audit attempts to read users
## temporary files.
## </summary>
-@@ -2414,7 +3196,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3197,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -46330,7 +46337,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2455,6 +3237,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3238,25 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')
@@ -46356,7 +46363,7 @@ index 9dc60c6..d88f402 100644
########################################
## <summary>
-@@ -2538,7 +3339,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3340,7 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -46365,7 +46372,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2546,19 +3347,19 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2546,19 +3348,19 @@ interface(`userdom_manage_user_tmp_files',`
## </summary>
## </param>
#
@@ -46388,7 +46395,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2566,19 +3367,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,19 +3368,19 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
@@ -46411,7 +46418,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2586,12 +3387,53 @@ interface(`userdom_manage_user_tmp_pipes',`
+@@ -2586,12 +3388,53 @@ interface(`userdom_manage_user_tmp_pipes',`
## </summary>
## </param>
#
@@ -46467,7 +46474,7 @@ index 9dc60c6..d88f402 100644
files_search_tmp($1)
')
-@@ -2661,6 +3503,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3504,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46489,7 +46496,7 @@ index 9dc60c6..d88f402 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2672,18 +3529,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3530,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
## </param>
#
interface(`userdom_read_user_tmpfs_files',`
@@ -46511,7 +46518,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2692,19 +3544,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3545,13 @@ interface(`userdom_read_user_tmpfs_files',`
## </param>
#
interface(`userdom_rw_user_tmpfs_files',`
@@ -46534,7 +46541,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2713,13 +3559,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3560,56 @@ interface(`userdom_rw_user_tmpfs_files',`
## </param>
#
interface(`userdom_manage_user_tmpfs_files',`
@@ -46595,7 +46602,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2814,6 +3703,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3704,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46620,7 +46627,7 @@ index 9dc60c6..d88f402 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2832,22 +3739,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3740,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46663,7 +46670,7 @@ index 9dc60c6..d88f402 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2856,14 +3775,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3776,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46701,7 +46708,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2882,8 +3820,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3821,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46731,7 +46738,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -2955,69 +3912,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3913,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46832,7 +46839,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3025,12 +3981,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3982,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46847,7 +46854,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -3094,7 +4050,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4051,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46856,7 +46863,7 @@ index 9dc60c6..d88f402 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3110,29 +4066,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4067,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46890,7 +46897,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -3214,7 +4154,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4155,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46917,7 +46924,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -3269,12 +4227,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4228,13 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46933,7 +46940,7 @@ index 9dc60c6..d88f402 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3282,49 +4241,125 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,49 +4242,125 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -47073,7 +47080,7 @@ index 9dc60c6..d88f402 100644
')
########################################
-@@ -3382,6 +4417,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4418,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -47116,7 +47123,7 @@ index 9dc60c6..d88f402 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4473,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4474,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -47177,7 +47184,7 @@ index 9dc60c6..d88f402 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4560,1687 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4561,1687 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 70eb517..22ccf53 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -7809,7 +7809,7 @@ index 1a7a97e..2c7252a 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..5ce1846 100644
+index 7fd431b..e9c4c5a 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -7838,11 +7838,13 @@ index 7fd431b..5ce1846 100644
domain_use_interactive_fds(apm_t)
-@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
+ # Server local policy
#
- allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
@@ -40995,10 +40997,10 @@ index 0000000..b9347fa
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
-index 0000000..be3d5d6
+index 0000000..32a9e13
--- /dev/null
+++ b/kmscon.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak at v3.sk>
+
@@ -41042,6 +41044,8 @@ index 0000000..be3d5d6
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
++kernel_read_system_state(kmscon_t)
++
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
@@ -67645,7 +67649,7 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..18872dc 100644
+index 3078ce9..c57d1cf 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -67685,7 +67689,7 @@ index 3078ce9..18872dc 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
@@ -67695,15 +67699,16 @@ index 3078ce9..18872dc 100644
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
-
--miscfiles_read_localization(plymouthd_t)
++term_use_usb_ttys(plymouthd_t)
++
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
-+
+
+-miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
@@ -67717,7 +67722,7 @@ index 3078ce9..18872dc 100644
')
optional_policy(`
-@@ -90,35 +96,37 @@ optional_policy(`
+@@ -90,35 +97,37 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8553c5c..d92a6ee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 119%{?dist}
+Release: 120%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-120
+- Allow kmscon to read system state. BZ (1206871)
+- Allow plymouthd to open usbttys. BZ(1202429)
+- apmd needs sys_resource when shutting down the machine
+- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
+- Use enable_mls instead of enabled_mls.
+- Allow a user to login with different security level via ssh.
+
* Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-119
- Allow mysqld_t to use pam. BZ(1196104)
- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f22&id=5d36f17b4369ffe6ee53a818ff8f811900c9eda5
More information about the scm-commits
mailing list