From 598de2dbc38736dffcdd6011e42f0fdf37da8226 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 09 2009 14:20:38 +0000 Subject: - Allow xdm to create user_tmp_t sockets for switch user to work --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 036f8ea..a67025e 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1483,8 +1483,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.4/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-03 22:57:29.000000000 -0500 -@@ -138,6 +138,7 @@ ++++ serefpolicy-3.6.4/policy/modules/admin/usermanage.if 2009-02-07 07:19:49.000000000 -0500 +@@ -117,6 +117,24 @@ + + ######################################## + ## ++## Send sigkills to passwd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_passwd_sigkill',` ++ gen_require(` ++ type passwd_t; ++ ') ++ ++ allow $1 passwd_t:process sigkill; ++') ++ ++######################################## ++## + ## Execute passwd in the passwd domain, and + ## allow the specified role the passwd domain. + ## +@@ -138,6 +156,7 @@ usermanage_domtrans_passwd($1) role $2 types passwd_t; @@ -4634,7 +4659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.4/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/devices.if 2009-02-09 09:03:10.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -5410,7 +5435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.4/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-04 10:53:13.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/files.if 2009-02-09 09:04:21.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -8851,7 +8876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -9072,8 +9097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) +') + @@ -9084,7 +9108,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -9358,20 +9383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -655,6 +809,12 @@ - fs_exec_nfs_files(httpd_suexec_t) - ') - -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_files(httpd_suexec_t) -+ fs_manage_cifs_symlinks(httpd_suexec_t) -+ fs_exec_cifs_files(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_suexec_t) - fs_read_cifs_symlinks(httpd_suexec_t) -@@ -672,15 +832,14 @@ +@@ -672,15 +826,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -9390,7 +9402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +858,24 @@ +@@ -699,12 +852,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -9408,16 +9420,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) -+') ++ fs_exec_nfs_files(httpd_sys_script_t) + -+tunable_policy(`httpd_use_nfs',` + fs_manage_nfs_dirs(httpd_suexec_t) + fs_manage_nfs_files(httpd_suexec_t) + fs_manage_nfs_symlinks(httpd_suexec_t) ++ fs_exec_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +883,35 @@ +@@ -712,6 +877,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -9447,13 +9459,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_cifs_dirs(httpd_suexec_t) + fs_manage_cifs_files(httpd_suexec_t) + fs_manage_cifs_symlinks(httpd_suexec_t) ++ fs_exec_cifs_files(httpd_suexec_t) +') + -+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +924,10 @@ +@@ -724,6 +918,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -9464,7 +9476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +939,8 @@ +@@ -735,6 +933,8 @@ # httpd_rotatelogs local policy # @@ -9473,7 +9485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +960,12 @@ +@@ -754,6 +954,12 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -9486,7 +9498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +974,66 @@ +@@ -762,3 +968,66 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -20074,7 +20086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20100,15 +20112,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -135,6 +137,7 @@ +@@ -135,11 +137,19 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) + userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) ++ dev_getattr_all_blk_files(nfsd_t) ++ dev_getattr_all_chr_files(nfsd_t) ') tunable_policy(`nfs_export_all_ro',` -@@ -170,6 +173,7 @@ + fs_read_noxattr_fs_files(nfsd_t) ++ auth_read_all_dirs_except_shadow(nfsd_t) + auth_read_all_files_except_shadow(nfsd_t) ++ files_getattr_all_pipes(nfsd_t) ++ files_getattr_all_sockets(nfsd_t) ++ dev_getattr_all_blk_files(nfsd_t) ++ dev_getattr_all_chr_files(nfsd_t) + ') + + ######################################## +@@ -170,6 +180,7 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -20116,7 +20140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_certs(gssd_t) -@@ -180,8 +184,7 @@ +@@ -180,8 +191,7 @@ ') optional_policy(` @@ -20582,7 +20606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -20736,7 +20760,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -338,20 +365,27 @@ +@@ -333,25 +360,33 @@ + + tunable_policy(`samba_domain_controller',` + usermanage_domtrans_passwd(smbd_t) ++ usermanage_passwd_sigkill(smbd_t) + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) ') tunable_policy(`samba_enable_home_dirs',` @@ -20770,7 +20800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -359,6 +393,16 @@ +@@ -359,6 +394,16 @@ optional_policy(` kerberos_use(smbd_t) @@ -20787,7 +20817,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -381,8 +425,10 @@ +@@ -381,8 +426,10 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -20798,7 +20828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -454,6 +500,7 @@ +@@ -454,6 +501,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -20806,7 +20836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -553,19 +600,33 @@ +@@ -553,19 +601,33 @@ userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) @@ -20843,7 +20873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -585,6 +646,9 @@ +@@ -585,6 +647,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -20853,7 +20883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -609,15 +673,18 @@ +@@ -609,15 +674,18 @@ dev_read_urand(swat_t) @@ -20872,7 +20902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -635,6 +702,17 @@ +@@ -635,6 +703,17 @@ kerberos_use(swat_t) ') @@ -20890,7 +20920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Winbind local policy -@@ -642,7 +720,7 @@ +@@ -642,7 +721,7 @@ allow winbind_t self:capability { dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; @@ -20899,7 +20929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -683,9 +761,10 @@ +@@ -683,9 +762,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -20912,7 +20942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) -@@ -709,10 +788,12 @@ +@@ -709,10 +789,12 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -20925,7 +20955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(winbind_t) -@@ -768,8 +849,13 @@ +@@ -768,8 +850,13 @@ userdom_use_user_terminals(winbind_helper_t) optional_policy(` @@ -20939,7 +20969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -778,6 +864,16 @@ +@@ -778,6 +865,16 @@ # optional_policy(` @@ -20956,7 +20986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -788,9 +884,43 @@ +@@ -788,9 +885,43 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -23547,7 +23577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-08 17:11:40.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23903,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) -+userdom_write_user_tmp_files(xdm_t) ++userdom_manage_user_tmp_sockets(xdm_t) xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_unconfined(xdm_t) @@ -24394,7 +24424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-04 10:32:13.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/authlogin.if 2009-02-07 07:22:59.000000000 -0500 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -24509,11 +24539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) - - optional_policy(` +- optional_policy(` - kerberos_use($1) - ') - -- optional_policy(` + optional_policy(` - nis_use_ypbind($1) + kerberos_read_keytab($1) + kerberos_connect_524($1) @@ -24600,10 +24630,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1395,10 @@ +@@ -1297,6 +1395,14 @@ ') optional_policy(` ++ ldap_stream_connect($1) ++ ') ++ ++ optional_policy(` + kerberos_use($1) + ') + @@ -24611,7 +24645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1307,6 +1409,7 @@ +@@ -1307,6 +1413,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -24619,7 +24653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1444,99 @@ +@@ -1341,3 +1448,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -25561,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.4/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/libraries.fc 2009-02-09 08:38:58.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -25599,7 +25633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,9 +120,17 @@ +@@ -115,24 +120,34 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25617,7 +25651,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -127,12 +140,14 @@ + /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28621,7 +28658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500 @@ -30,8 +30,9 @@ ')