##
@@ -32498,7 +32731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1170,6 @@
+@@ -1164,7 +1176,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -32506,26 +32739,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1193,12 +1198,15 @@
+@@ -1193,12 +1204,15 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ hal_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
+ cron_per_role_template($1, $1_t, $1_r)
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1215,27 @@
+@@ -1207,7 +1221,27 @@
')
optional_policy(`
@@ -32554,7 +32787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1284,8 +1312,6 @@
+@@ -1284,8 +1318,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -32563,7 +32796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1333,6 @@
+@@ -1307,8 +1339,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -32572,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1387,6 @@
+@@ -1363,13 +1393,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -32586,7 +32819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1439,7 @@
+@@ -1422,6 +1445,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -32594,7 +32827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1805,14 @@
+@@ -1787,10 +1811,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -32610,7 +32843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1886,11 +1908,11 @@
+@@ -1886,11 +1914,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -32624,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1920,11 +1942,11 @@
+@@ -1920,11 +1948,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -32638,7 +32871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1968,12 +1990,12 @@
+@@ -1968,12 +1996,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -32654,7 +32887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2003,10 +2025,11 @@
+@@ -2003,10 +2031,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -32668,7 +32901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2061,47 @@
+@@ -2038,11 +2067,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -32718,7 +32951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2074,10 +2133,10 @@
+@@ -2074,10 +2139,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -32731,7 +32964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2166,11 @@
+@@ -2107,11 +2172,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -32745,7 +32978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2200,11 @@
+@@ -2141,11 +2206,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -32760,7 +32993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2234,14 @@
+@@ -2175,10 +2240,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -32777,7 +33010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2271,11 @@
+@@ -2208,11 +2277,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -32791,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2305,11 @@
+@@ -2242,11 +2311,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -32805,7 +33038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2339,10 @@
+@@ -2276,10 +2345,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -32818,7 +33051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2374,12 @@
+@@ -2311,12 +2380,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -32834,7 +33067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2411,10 @@
+@@ -2348,10 +2417,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -32847,7 +33080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2446,12 @@
+@@ -2383,12 +2452,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -32863,7 +33096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2483,12 @@
+@@ -2420,12 +2489,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -32879,7 +33112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2520,12 @@
+@@ -2457,12 +2526,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -32895,7 +33128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2570,11 @@
+@@ -2507,11 +2576,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -32909,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2619,11 @@
+@@ -2556,11 +2625,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -32923,7 +33156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2663,11 @@
+@@ -2600,11 +2669,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -32937,7 +33170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2697,11 @@
+@@ -2634,11 +2703,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -32951,7 +33184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2731,11 @@
+@@ -2668,11 +2737,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -32965,7 +33198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2767,10 @@
+@@ -2704,10 +2773,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -32978,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2802,10 @@
+@@ -2739,10 +2808,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -32991,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2835,12 @@
+@@ -2772,12 +2841,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -33007,7 +33240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,10 +2872,10 @@
+@@ -2809,10 +2878,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -33020,7 +33253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2844,10 +2907,48 @@
+@@ -2844,10 +2913,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -33071,7 +33304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2877,12 +2978,12 @@
+@@ -2877,12 +2984,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -33087,7 +33320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2914,10 +3015,10 @@
+@@ -2914,10 +3021,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -33100,7 +33333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2949,12 +3050,12 @@
+@@ -2949,12 +3056,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -33116,7 +33349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3087,11 @@
+@@ -2986,11 +3093,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -33130,7 +33363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3123,11 @@
+@@ -3022,11 +3129,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -33144,7 +33377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3159,11 @@
+@@ -3058,11 +3165,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -33158,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3195,11 @@
+@@ -3094,11 +3201,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -33172,7 +33405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3231,11 @@
+@@ -3130,11 +3237,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -33186,7 +33419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3280,10 @@
+@@ -3179,10 +3286,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -33199,7 +33432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3324,10 @@
+@@ -3223,10 +3330,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -33212,7 +33445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,24 +3355,24 @@
+@@ -3254,24 +3361,24 @@
##
##
#
@@ -33241,7 +33474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -3290,23 +3391,24 @@
+@@ -3290,23 +3397,24 @@
##
##
#
@@ -33273,7 +33506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -3321,18 +3423,89 @@
+@@ -3321,13 +3429,84 @@
##
##
##
@@ -33287,11 +33520,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
gen_require(`
- type $1_untrusted_content_t;
+ type $1_tmpfs_t;
- ')
-
-- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
--')
--
++ ')
++
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
@@ -33361,15 +33591,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+template(`userdom_dontaudit_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
-+ ')
-+
-+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
-+')
-+
- ########################################
- ##
- ## Read user untrusted files.
-@@ -4231,11 +4404,11 @@
+ ')
+
+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
+@@ -4231,11 +4410,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -33383,7 +33608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4424,10 @@
+@@ -4251,10 +4430,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -33396,7 +33621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4443,11 @@
+@@ -4270,11 +4449,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -33410,7 +33635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4462,16 @@
+@@ -4289,16 +4468,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -33430,7 +33655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
##
##
-@@ -4307,12 +4480,35 @@
+@@ -4307,12 +4486,35 @@
##
##
#
@@ -33439,8 +33664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
gen_require(`
- type staff_home_t;
+ type user_home_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 staff_home_t:file append;
+ dontaudit $1 user_home_t:file append_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
@@ -33449,10 +33675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_append_cifs_files($1)
- ')
++ ')
+')
-
-- dontaudit $1 staff_home_t:file append;
++
+########################################
+##
+## Do not audit attempts to append to the staff
@@ -33469,7 +33694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4523,13 @@
+@@ -4327,13 +4529,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -33487,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4727,10 @@
+@@ -4531,10 +4733,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -33500,7 +33725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4747,10 @@
+@@ -4551,10 +4753,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -33513,7 +33738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4765,10 @@
+@@ -4569,10 +4771,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -33526,7 +33751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4784,10 @@
+@@ -4588,10 +4790,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -33539,7 +33764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4802,10 @@
+@@ -4606,10 +4808,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -33552,7 +33777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4821,10 @@
+@@ -4625,10 +4827,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -33565,7 +33790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4840,11 @@
+@@ -4644,12 +4846,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -33581,7 +33806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4871,10 @@
+@@ -4676,10 +4877,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -33594,7 +33819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4889,10 @@
+@@ -4694,10 +4895,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -33607,7 +33832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4907,13 @@
+@@ -4712,13 +4913,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -33625,7 +33850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4949,49 @@
+@@ -4754,11 +4955,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -33676,7 +33901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +5011,14 @@
+@@ -4778,6 +5017,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33691,7 +33916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5080,26 @@
+@@ -4839,6 +5086,26 @@
########################################
##
@@ -33718,7 +33943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
##
-@@ -4859,6 +5120,25 @@
+@@ -4859,6 +5126,25 @@
########################################
##
@@ -33744,7 +33969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4879,6 +5159,26 @@
+@@ -4879,6 +5165,26 @@
########################################
##
@@ -33771,7 +33996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
##
-@@ -5115,7 +5415,7 @@
+@@ -5115,7 +5421,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -33780,7 +34005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5604,63 @@
+@@ -5304,6 +5610,63 @@
########################################
##
@@ -33844,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
##
-@@ -5509,7 +5866,7 @@
+@@ -5509,7 +5872,7 @@
########################################
##
@@ -33853,7 +34078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5517,18 +5874,17 @@
+@@ -5517,18 +5880,17 @@
##
##
#
@@ -33876,7 +34101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5536,17 +5892,17 @@
+@@ -5536,17 +5898,17 @@
##
##
#
@@ -33898,7 +34123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5554,12 +5910,49 @@
+@@ -5554,18 +5916,55 @@
##
##
#
@@ -33910,11 +34135,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
- read_files_pattern($1,userdomain,userdomain)
+- kernel_search_proc($1)
+ allow $1 user_ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
+## Do not audit attempts to use unprivileged
+## user ttys.
+##
@@ -33948,10 +34175,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ ps_process_pattern($1,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -5674,6 +6067,42 @@
++ kernel_search_proc($1)
++')
++
++########################################
++##
++## Get the attributes of all user domains.
+ ##
+ ##
+ ##
+@@ -5674,6 +6073,42 @@
########################################
##
@@ -33994,7 +34227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5704,3 +6133,370 @@
+@@ -5704,3 +6139,370 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -35020,7 +35253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-21 11:02:50.611505000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400
@@ -0,0 +1,174 @@
+
+policy_module(virt,1.0.0)
@@ -35058,7 +35291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+files_type(virt_var_lib_t)
+
+type virt_etc_t;
-+files_type(virt_etc_t)
++files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
@@ -35867,3 +36100,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ff08933..8f68461 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 38%{?dist}
+Release: 39%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,8 +385,8 @@ exit 0
%endif
%changelog
-* Tue Apr 22 2008 Dan Walsh 3.3.1-38
-- Bump for release
+* Wed Apr 23 2008 Dan Walsh 3.3.1-39
+- Change etc files to config files to allow users to read them
* Fri Apr 14 2008 Dan Walsh 3.3.1-37
- Lots of fixes for confined domains on NFS_t homedir