From 0b0211d641e66e76ea234d48e000e016ad3d64dd Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 05 2009 13:53:45 +0000 Subject: - Fix pcscd policy - Allow alsa to read hardware state information --- diff --git a/policy-20071130.patch b/policy-20071130.patch index ef6df90..71389b6 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -572657,8 +572657,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.3.1 # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.3.1/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/admin/alsa.te 2009-02-12 22:21:57.000000000 +0100 -@@ -48,6 +48,7 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/alsa.te 2009-03-05 13:27:01.000000000 +0100 +@@ -43,11 +43,13 @@ + + dev_read_sound(alsa_t) + dev_write_sound(alsa_t) ++dev_read_sysfs(alsa_t) + + corecmd_exec_bin(alsa_t) files_search_home(alsa_t) files_read_etc_files(alsa_t) @@ -648218,7 +648224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.3.1/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/cron.te 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/cron.te 2009-03-05 13:23:46.000000000 +0100 @@ -12,14 +12,6 @@ ## @@ -648303,11 +648309,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -142,13 +146,16 @@ +@@ -142,13 +146,17 @@ files_search_default(crond_t) init_rw_utmp(crond_t) -+init_spec_domtrans_script(crond_t) ++#init_spec_domtrans_script(crond_t) ++init_domtrans_script(system_crond_t) auth_use_nsswitch(crond_t) @@ -648320,7 +648327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -161,11 +168,9 @@ +@@ -161,11 +169,9 @@ userdom_list_all_users_home_dirs(crond_t) mta_send_mail(crond_t) @@ -648333,7 +648340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) -@@ -180,21 +185,45 @@ +@@ -180,21 +186,45 @@ ') ') @@ -648380,7 +648387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -236,6 +265,9 @@ +@@ -236,6 +266,9 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) @@ -648390,7 +648397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow system_crond_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are -@@ -267,9 +299,13 @@ +@@ -267,9 +300,13 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -648405,7 +648412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -323,7 +359,8 @@ +@@ -323,7 +360,8 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -648415,7 +648422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron auth_use_nsswitch(system_crond_t) -@@ -333,6 +370,7 @@ +@@ -333,6 +371,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -648423,7 +648430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -348,18 +386,6 @@ +@@ -348,18 +387,6 @@ ') ') @@ -648442,7 +648449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) -@@ -383,11 +409,20 @@ +@@ -383,11 +410,20 @@ ') optional_policy(` @@ -648463,7 +648470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -415,8 +450,7 @@ +@@ -415,8 +451,7 @@ ') optional_policy(` @@ -648473,7 +648480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -424,15 +458,12 @@ +@@ -424,15 +459,12 @@ ') optional_policy(` @@ -651642,7 +651649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.3.1/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/ftp.te 2009-02-13 10:49:16.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/ftp.te 2009-03-05 13:36:02.000000000 +0100 @@ -26,7 +26,7 @@ ## ##

@@ -651727,7 +651734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. tunable_policy(`ftp_home_dir',` allow ftpd_t self:capability { dac_override dac_read_search }; -@@ -218,7 +237,13 @@ +@@ -218,8 +237,16 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -651737,11 +651744,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + auth_read_all_files_except_shadow(ftpd_t) + auth_read_all_symlinks_except_shadow(ftpd_t) ') -+userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t, { dir file lnk_file }) ++#Needed for permissive mode, to make sure everything gets labeled correctly ++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) ++ tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) -@@ -237,6 +262,18 @@ + fs_read_nfs_symlinks(ftpd_t) +@@ -237,6 +264,18 @@ ') optional_policy(` @@ -651760,7 +651770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) -@@ -253,7 +290,9 @@ +@@ -253,7 +292,9 @@ ') optional_policy(` @@ -651771,7 +651781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -@@ -265,6 +304,14 @@ +@@ -265,6 +306,14 @@ ') optional_policy(` @@ -656513,10 +656523,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + unconfined_use_terminals(openvpn_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.3.1/policy/modules/services/pcscd.fc +--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-02-26 14:23:10.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/pcscd.fc 2009-03-05 13:07:09.000000000 +0100 +@@ -1,5 +1,6 @@ + /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) ++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) + + /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.3.1/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/pcscd.te 2009-02-12 22:21:57.000000000 +0100 -@@ -45,6 +45,7 @@ ++++ serefpolicy-3.3.1/policy/modules/services/pcscd.te 2009-03-05 13:06:58.000000000 +0100 +@@ -27,9 +27,10 @@ + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t) + manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t) +-files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file }) ++files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file dir sock_file }) + + corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) +@@ -45,6 +46,7 @@ files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) @@ -658016,7 +658048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.3.1/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.if 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.if 2009-03-05 13:43:11.000000000 +0100 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -658025,7 +658057,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post can_exec(postfix_$1_t, postfix_$1_exec_t) -@@ -206,9 +207,8 @@ +@@ -78,6 +79,7 @@ + files_read_etc_runtime_files(postfix_$1_t) + files_read_usr_symlinks(postfix_$1_t) + files_search_spool(postfix_$1_t) ++ files_search_all_mountpoints(postfix_$1_t) + files_getattr_tmp_dirs(postfix_$1_t) + + init_dontaudit_use_fds(postfix_$1_t) +@@ -206,9 +208,8 @@ type postfix_etc_t; ') @@ -658037,7 +658077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_etc($1) ') -@@ -416,7 +416,7 @@ +@@ -416,7 +417,7 @@ ## ## # @@ -658046,7 +658086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -427,6 +427,26 @@ +@@ -427,6 +428,26 @@ ######################################## ##

@@ -658073,7 +658113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -482,6 +502,24 @@ +@@ -482,6 +503,24 @@ files_search_spool($1) ') @@ -658098,7 +658138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Read postfix mail spool files. -@@ -503,6 +541,44 @@ +@@ -503,6 +542,44 @@ ######################################## ## @@ -658143,7 +658183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -@@ -519,3 +595,22 @@ +@@ -519,3 +596,22 @@ typeattribute $1 postfix_user_domtrans; ') @@ -659587,7 +659627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2009-03-05 13:10:40.000000000 +0100 @@ -71,7 +71,7 @@ # PPPD Local policy # @@ -659606,7 +659646,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. kernel_read_network_state(pppd_t) kernel_load_module(pppd_t) -@@ -176,10 +176,9 @@ +@@ -161,6 +161,7 @@ + + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) ++init_signal_script(pppd_t) + + auth_use_nsswitch(pppd_t) + +@@ -176,10 +177,9 @@ sysnet_etc_filetrans_config(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) @@ -659618,7 +659666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. userdom_search_unpriv_users_home_dirs(pppd_t) ppp_exec(pppd_t) -@@ -196,6 +195,12 @@ +@@ -196,6 +196,12 @@ optional_policy(` mta_send_mail(pppd_t) @@ -659631,7 +659679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -215,14 +220,16 @@ +@@ -215,14 +221,16 @@ # PPTP Local policy # @@ -659651,7 +659699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. allow pptp_t pppd_etc_t:dir { getattr read search }; allow pptp_t pppd_etc_t:file { read getattr }; -@@ -246,9 +253,13 @@ +@@ -246,9 +254,13 @@ kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) kernel_read_proc_symlinks(pptp_t) @@ -659665,7 +659713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. corenet_all_recvfrom_unlabeled(pptp_t) corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_all_if(pptp_t) -@@ -264,12 +275,16 @@ +@@ -264,12 +276,16 @@ fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) @@ -659682,7 +659730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. libs_use_ld_so(pptp_t) libs_use_shared_libs(pptp_t) -@@ -278,6 +293,7 @@ +@@ -278,6 +294,7 @@ miscfiles_read_localization(pptp_t) sysnet_read_config(pptp_t) @@ -659690,7 +659738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_sysadm_home_dirs(pptp_t) -@@ -287,6 +303,14 @@ +@@ -287,6 +304,14 @@ ') optional_policy(` @@ -669882,7 +669930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-02-19 13:58:47.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2009-03-05 13:40:29.000000000 +0100 @@ -69,8 +69,10 @@ ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -669998,7 +670046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -301,6 +318,23 @@ +@@ -301,6 +318,28 @@ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') @@ -670022,6 +670070,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-26 14:23:09.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2009-02-12 22:21:57.000000000 +0100 @@ -674071,7 +674124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 14:23:09.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-02-19 11:21:16.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-03-05 13:35:19.000000000 +0100 @@ -29,9 +29,14 @@ ') @@ -675399,7 +675452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2097,67 @@ +@@ -2038,11 +2097,92 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -675414,6 +675467,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +') + ++####################################### ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the user home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`userdom_user_home_dir_filetrans_pattern',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ type_transition $1 user_home_dir_t:$2 user_home_t; ++') ++ +######################################## +## +## dontaudit attemps to Create files @@ -675469,7 +675547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2189,10 @@ +@@ -2074,10 +2214,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -675482,7 +675560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2222,11 @@ +@@ -2107,11 +2247,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -675496,7 +675574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2256,11 @@ +@@ -2141,11 +2281,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -675511,7 +675589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2290,14 @@ +@@ -2175,10 +2315,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -675528,7 +675606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2327,11 @@ +@@ -2208,11 +2352,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -675542,7 +675620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2361,11 @@ +@@ -2242,11 +2386,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -675556,7 +675634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2395,37 @@ +@@ -2276,10 +2420,37 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -675596,7 +675674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2457,12 @@ +@@ -2311,12 +2482,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -675612,7 +675690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2494,10 @@ +@@ -2348,10 +2519,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -675625,7 +675703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2529,12 @@ +@@ -2383,12 +2554,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -675641,7 +675719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2566,12 @@ +@@ -2420,12 +2591,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -675657,7 +675735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2603,12 @@ +@@ -2457,12 +2628,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -675673,7 +675751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2653,11 @@ +@@ -2507,11 +2678,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -675687,7 +675765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2702,11 @@ +@@ -2556,11 +2727,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -675701,7 +675779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2746,11 @@ +@@ -2600,11 +2771,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -675715,7 +675793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2780,11 @@ +@@ -2634,11 +2805,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -675729,7 +675807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2814,11 @@ +@@ -2668,11 +2839,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -675743,7 +675821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2850,10 @@ +@@ -2704,10 +2875,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -675756,7 +675834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2885,10 @@ +@@ -2739,10 +2910,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -675769,7 +675847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2918,12 @@ +@@ -2772,12 +2943,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -675785,55 +675863,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,20 +2955,20 @@ +@@ -2809,10 +2980,45 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` - type $1_tmp_t; + type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file read_file_perms; ++ ') ++ + dontaudit $2 user_tmp_t:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to append users -+## Do not audit attempts to write users - ## temporary files. - ## - ## - ##

--## Do not audit attempts to append users ++') ++ ++######################################## ++##

+## Do not audit attempts to write users - ## temporary files. - ##

- ##

-@@ -2842,17 +2988,90 @@ - ##

- ## - # --template(`userdom_dontaudit_append_user_tmp_files',` -+template(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` -- type $1_tmp_t; -+ type user_tmp_t; - ') - -- dontaudit $2 $1_tmp_t:file append; -+ dontaudit $2 user_tmp_t:file write; - ') - - ######################################## - ## --## Read and write user temporary files. -+## Do not audit attempts to append users +## temporary files. +## +## +##

-+## Do not audit attempts to append users ++## Do not audit attempts to write users +## temporary files. +##

+##

@@ -675853,9 +675901,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +##

+## +# -+template(`userdom_dontaudit_append_user_tmp_files',` ++template(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $2 $1_tmp_t:file read_file_perms; ++ dontaudit $2 user_tmp_t:file write; + ') + + ######################################## +@@ -2844,10 +3050,48 @@ + # + template(`userdom_dontaudit_append_user_tmp_files',` + gen_require(` +- type $1_tmp_t; ++ type user_tmp_t; + ') + + dontaudit $2 user_tmp_t:file append; @@ -675894,18 +675955,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + gen_require(` + attribute user_tmpfile; + attribute userdomain; -+ ') -+ + ') + +- dontaudit $2 $1_tmp_t:file append; + stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain) -+') -+ -+######################################## -+## -+## Read and write user temporary files. - ## - ## - ##

-@@ -2877,12 +3096,12 @@ + ') + + ######################################## +@@ -2877,12 +3121,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -675921,7 +675978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3133,10 @@ +@@ -2914,10 +3158,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -675934,7 +675991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3168,12 @@ +@@ -2949,12 +3193,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -675950,7 +676007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3205,11 @@ +@@ -2986,11 +3230,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -675964,7 +676021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3241,11 @@ +@@ -3022,11 +3266,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -675978,7 +676035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3277,11 @@ +@@ -3058,11 +3302,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -675992,7 +676049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3313,11 @@ +@@ -3094,11 +3338,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -676006,7 +676063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3349,11 @@ +@@ -3130,11 +3374,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -676020,7 +676077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3398,10 @@ +@@ -3179,10 +3423,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -676033,7 +676090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3442,10 @@ +@@ -3223,10 +3467,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -676046,7 +676103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,6 +3473,63 @@ +@@ -3254,6 +3498,63 @@ ##

## # @@ -676110,7 +676167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -3267,6 +3543,42 @@ +@@ -3267,6 +3568,42 @@ ######################################## ## @@ -676153,7 +676210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## List users untrusted directories. ## ## -@@ -3962,6 +4274,24 @@ +@@ -3962,6 +4299,24 @@ ######################################## ## @@ -676178,7 +676235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Manage unpriviledged user SysV shared ## memory segments. ## -@@ -4231,11 +4561,11 @@ +@@ -4231,11 +4586,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -676192,7 +676249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4581,10 @@ +@@ -4251,10 +4606,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -676205,7 +676262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4600,11 @@ +@@ -4270,11 +4625,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -676219,7 +676276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4619,16 @@ +@@ -4289,16 +4644,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -676239,7 +676296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4637,54 @@ +@@ -4307,12 +4662,54 @@ ## ## # @@ -676297,7 +676354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4699,13 @@ +@@ -4327,13 +4724,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -676315,7 +676372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4903,10 @@ +@@ -4531,10 +4928,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -676328,7 +676385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4923,10 @@ +@@ -4551,10 +4948,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -676341,7 +676398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4941,10 @@ +@@ -4569,10 +4966,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -676354,7 +676411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4960,10 @@ +@@ -4588,10 +4985,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -676367,7 +676424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4978,10 @@ +@@ -4606,10 +5003,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -676380,7 +676437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4997,10 @@ +@@ -4625,10 +5022,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -676393,7 +676450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,14 +5016,53 @@ +@@ -4644,14 +5041,53 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -676451,7 +676508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create objects in sysadm home directories -@@ -4676,10 +5087,10 @@ +@@ -4676,10 +5112,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -676464,7 +676521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +5105,10 @@ +@@ -4694,10 +5130,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -676477,7 +676534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +5123,13 @@ +@@ -4712,13 +5148,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -676495,7 +676552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,16 +5165,16 @@ +@@ -4754,16 +5190,16 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -676515,7 +676572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -4771,18 +5182,18 @@ +@@ -4771,18 +5207,18 @@ ## ## # @@ -676537,7 +676594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -4790,36 +5201,45 @@ +@@ -4790,31 +5226,79 @@ ## ## # @@ -676583,20 +676640,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') - ') - - ######################################## - ## --## Read all files in all users home directories. ++') ++ ++######################################## ++## +## Search all users home directories. - ## - ## - ## -@@ -4827,7 +5247,46 @@ - ## - ## - # --interface(`userdom_read_all_users_home_content_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_search_all_users_home_content',` + gen_require(` + attribute home_dir_type, home_type; @@ -676624,23 +676679,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) -+') -+ -+######################################## -+## -+## Read all files in all users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_home_content_files',` - gen_require(` - attribute home_type; - ') -@@ -4839,6 +5298,26 @@ + ') + + ######################################## +@@ -4839,6 +5323,26 @@ ######################################## ## @@ -676667,7 +676709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5338,25 @@ +@@ -4859,6 +5363,25 @@ ######################################## ## @@ -676693,7 +676735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5377,26 @@ +@@ -4879,6 +5402,26 @@ ######################################## ## @@ -676720,7 +676762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5633,7 @@ +@@ -5115,7 +5658,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -676729,7 +676771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5822,63 @@ +@@ -5304,6 +5847,63 @@ ######################################## ## @@ -676793,7 +676835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,6 +6084,43 @@ +@@ -5509,6 +6109,43 @@ ######################################## ## @@ -676837,7 +676879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5559,7 +6171,7 @@ +@@ -5559,7 +6196,7 @@ attribute userdomain; ') @@ -676846,7 +676888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,6 +6286,42 @@ +@@ -5674,6 +6311,42 @@ ######################################## ## @@ -676889,7 +676931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6352,408 @@ +@@ -5704,3 +6377,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')