From b10408d9842ab0f9a525fffb023c32230d26905d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Apr 25 2010 11:36:09 +0000
Subject: - Allow rlogind_t to search /root for .rhosts Resolves: #582760
- Fix path for cached_var_t
- Fix prelink paths /var/lib/prelink
- Allow confined users to direct_dri
- Allow mls lvm/cryptosetup to work
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 2a82830..0ef160d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -354,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
apache_exec_modules(certwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.19/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-04-22 08:40:46.000000000 -0400
@@ -19,6 +19,9 @@
corecmd_search_bin($1)
@@ -612,19 +612,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.19/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.fc 2010-04-23 10:28:24.000000000 -0400
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+@@ -6,4 +7,5 @@
+ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+ /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+
+-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
++/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.19/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-04-14 10:48:18.000000000 -0400
-@@ -21,6 +21,25 @@
++++ serefpolicy-3.7.19/policy/modules/admin/prelink.if 2010-04-22 08:56:05.000000000 -0400
+@@ -17,6 +17,30 @@
- ########################################
- ##
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit prelink_t $1:socket_class_set { read write };
++ dontaudit prelink_t $1:fifo_file setattr;
++ ')
++')
++
++########################################
++##
+## Execute the prelink program in the current domain.
+##
+##
@@ -640,14 +656,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+
+ corecmd_search_bin($1)
+ can_exec($1, prelink_exec_t)
-+')
-+
-+########################################
-+##
- ## Execute the prelink program in the prelink domain.
- ##
- ##
-@@ -151,11 +170,11 @@
+ ')
+
+ ########################################
+@@ -151,11 +175,11 @@
##
##
#
@@ -5358,6 +5370,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
dbus_system_bus_client(podsleuth_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc
+--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2010-03-29 15:04:22.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.fc 2010-04-22 08:28:05.000000000 -0400
+@@ -3,5 +3,6 @@
+
+ /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
++/var/lib/mpd(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+ /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+ /var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-04-14 10:48:18.000000000 -0400
@@ -6654,8 +6676,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.19/policy/modules/apps/userhelper.if
--- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-04-14 10:48:18.000000000 -0400
-@@ -260,3 +260,51 @@
++++ serefpolicy-3.7.19/policy/modules/apps/userhelper.if 2010-04-22 08:47:45.000000000 -0400
+@@ -25,6 +25,7 @@
+ gen_require(`
+ attribute userhelper_type;
+ type userhelper_exec_t, userhelper_conf_t;
++ class dbus send_msg;
+ ')
+
+ ########################################
+@@ -260,3 +261,58 @@
can_exec($1, userhelper_exec_t)
')
@@ -6691,8 +6721,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+ gen_require(`
+ type consolehelper_exec_t;
+ attribute consolehelper_domain;
++ class dbus send_msg;
+ ')
-+
+ type $1_consolehelper_t, consolehelper_domain;
+ domain_type($1_consolehelper_t)
+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
@@ -6700,12 +6730,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
++ allow $3 $1_consolehelper_t:dbus send_msg;
++ allow $1_consolehelper_t $3:dbus send_msg;
++
+ auth_use_pam($1_consolehelper_t)
+
+ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
++
++ optional_policy(`
++ xserver_read_xdm_pid($1_consolehelper_t)
++ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.19/policy/modules/apps/userhelper.te
--- nsaserefpolicy/policy/modules/apps/userhelper.te 2009-07-14 14:19:57.000000000 -0400
@@ -6971,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-22 11:50:15.000000000 -0400
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -6982,7 +7019,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -147,6 +148,9 @@
+@@ -70,6 +71,9 @@
+
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/etc/pm/power\d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/pm/sleep\d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -147,6 +151,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6992,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -217,10 +221,13 @@
+@@ -217,10 +224,13 @@
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -7006,7 +7053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -297,6 +304,7 @@
+@@ -297,6 +307,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -7014,7 +7061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +339,21 @@
+@@ -331,3 +342,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7740,7 +7787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-21 10:00:28.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-04-22 09:13:23.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8355,7 +8402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +5933,210 @@
+@@ -5520,3 +5933,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -8566,6 +8613,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
++
++########################################
++##
++## Allow domain to create_file_ass all types
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_as_is_all_files',`
++ gen_require(`
++ attribute file_type;
++ class kernel_service create_files_as;
++ ')
++
++ allow $1 file_type:kernel_service create_files_as;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-05 14:44:26.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-21 10:00:10.000000000 -0400
@@ -8978,7 +9044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-20 08:55:34.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-04-21 17:30:44.000000000 -0400
@@ -1959,7 +1959,7 @@
')
@@ -9063,7 +9129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
## Unconfined access to kernel module resources.
##
##
-@@ -2807,3 +2861,22 @@
+@@ -2807,3 +2861,23 @@
typeattribute $1 kern_unconfined;
')
@@ -9086,6 +9152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2010-04-14 10:48:18.000000000 -0400
@@ -9581,7 +9648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-04-23 11:38:30.000000000 -0400
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -9841,22 +9908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -369,6 +430,7 @@
- staff_role_change(sysadm_r)
- ')
-
-+ifndef(`distro_redhat',`
- optional_policy(`
- su_role_template(sysadm, sysadm_r, sysadm_t)
- ')
-@@ -376,15 +438,18 @@
- optional_policy(`
- sudo_role_template(sysadm, sysadm_r, sysadm_t)
- ')
-+')
-
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t, sysadm_r)
+@@ -382,9 +443,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -9868,7 +9920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +458,21 @@
+@@ -393,17 +456,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -9890,7 +9942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +486,11 @@
+@@ -417,9 +484,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -9902,7 +9954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +498,15 @@
+@@ -427,9 +496,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -9918,7 +9970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +517,26 @@
+@@ -440,13 +515,26 @@
')
optional_policy(`
@@ -13548,8 +13600,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,28 @@
++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.fc 2010-04-22 07:27:48.000000000 -0400
+@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
@@ -13576,6 +13628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.19/policy/modules/services/cachefilesd.if
@@ -13625,8 +13678,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.19/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,146 @@
++++ serefpolicy-3.7.19/policy/modules/services/cachefilesd.te 2010-04-21 17:32:23.000000000 -0400
+@@ -0,0 +1,147 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -13726,6 +13779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
++files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
@@ -21339,7 +21393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.19/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/policykit.te 2010-04-22 08:28:38.000000000 -0400
@@ -25,6 +25,9 @@
type policykit_reload_t alias polkit_reload_t;
files_type(policykit_reload_t)
@@ -21382,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
auth_use_nsswitch(policykit_t)
-@@ -68,45 +76,80 @@
+@@ -68,45 +76,82 @@
miscfiles_read_localization(policykit_t)
@@ -21441,6 +21495,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
-kernel_read_system_state(policykit_auth_t)
++kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
++
+dev_read_video_dev(policykit_auth_t)
files_read_etc_files(policykit_auth_t)
@@ -21469,7 +21525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +162,14 @@
+@@ -119,6 +164,14 @@
hal_read_state(policykit_auth_t)
')
@@ -21484,7 +21540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
########################################
#
# polkit_grant local policy
-@@ -126,7 +177,8 @@
+@@ -126,7 +179,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -21494,7 +21550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +208,12 @@
+@@ -156,9 +210,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -21508,7 +21564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +225,8 @@
+@@ -170,7 +227,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -24071,15 +24127,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.7.19/policy/modules/services/rlogin.fc
--- nsaserefpolicy/policy/modules/services/rlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-04-15 16:21:06.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/rlogin.fc 2010-04-22 11:53:06.000000000 -0400
@@ -1,4 +1,7 @@
HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
-+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
++/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te
+--- nsaserefpolicy/policy/modules/services/rlogin.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-04-22 11:52:51.000000000 -0400
+@@ -89,6 +89,7 @@
+ userdom_setattr_user_ptys(rlogind_t)
+ # cjp: this is egregious
+ userdom_read_user_home_content_files(rlogind_t)
++userdom_search_admin_dir(rlogind_t)
+
+ remotelogin_domtrans(rlogind_t)
+ remotelogin_signal(rlogind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-04-14 10:48:18.000000000 -0400
@@ -26591,7 +26658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-04-15 13:35:28.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-04-23 09:46:57.000000000 -0400
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -26647,7 +26714,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $2 xserver_t:fd use;
-@@ -94,9 +104,9 @@
+@@ -89,14 +99,19 @@
+ dev_write_misc($2)
+ # open office is looking for the following
+ dev_getattr_agp_dev($2)
+- dev_dontaudit_rw_dri($2)
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($2)
++ ',`
++ dev_dontaudit_rw_dri($2)
++ ')
++
+ # GNOME checks for usb and other devices:
dev_rw_usbfs($2)
miscfiles_read_fonts($2)
@@ -26658,7 +26736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -148,6 +158,7 @@
+@@ -148,6 +163,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -26666,7 +26744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +208,7 @@
+@@ -197,7 +213,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -26675,7 +26753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -291,12 +302,12 @@
+@@ -291,12 +307,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26691,7 +26769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +366,12 @@
+@@ -355,6 +371,12 @@
class x_property all_x_property_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -26704,7 +26782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
##############################
-@@ -386,6 +403,15 @@
+@@ -386,6 +408,15 @@
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -26720,7 +26798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
#######################################
-@@ -476,6 +502,7 @@
+@@ -476,6 +507,7 @@
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -26728,7 +26806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +572,9 @@
+@@ -545,6 +577,9 @@
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26738,7 +26816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -598,6 +628,7 @@
+@@ -598,6 +633,7 @@
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -26746,7 +26824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +836,7 @@
+@@ -805,7 +841,7 @@
')
files_search_pids($1)
@@ -26755,7 +26833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1224,9 +1255,20 @@
+@@ -1224,9 +1260,20 @@
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -26776,7 +26854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1250,3 +1292,329 @@
+@@ -1250,3 +1297,329 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27108,7 +27186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-15 16:59:03.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-23 09:42:21.000000000 -0400
@@ -36,6 +36,13 @@
##
@@ -27123,17 +27201,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Allow xdm logins as sysadm
##
##
-@@ -48,6 +55,9 @@
+@@ -48,6 +55,16 @@
##
gen_tunable(xserver_object_manager, false)
++##
++##
++## Allow regular users direct dri device access
++##
++##
++gen_tunable(user_direct_dri, false)
++
+attribute xdmhomewriter;
+attribute x_userdomain;
+
attribute x_domain;
# X Events
-@@ -110,21 +120,26 @@
+@@ -110,21 +127,26 @@
type user_fonts_t;
typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
@@ -27160,7 +27245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
application_domain(iceauth_t, iceauth_exec_t)
ubac_constrained(iceauth_t)
-@@ -132,6 +147,7 @@
+@@ -132,6 +154,7 @@
type iceauth_home_t;
typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
@@ -27168,7 +27253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_poly_member(iceauth_home_t)
userdom_user_home_content(iceauth_home_t)
-@@ -139,17 +155,20 @@
+@@ -139,17 +162,20 @@
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
@@ -27189,7 +27274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -164,16 +183,18 @@
+@@ -164,16 +190,18 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -27211,7 +27296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -181,13 +202,27 @@
+@@ -181,13 +209,27 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -27240,7 +27325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -200,15 +235,9 @@
+@@ -200,15 +242,9 @@
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -27258,7 +27343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -238,9 +267,13 @@
+@@ -238,9 +274,13 @@
allow xdm_t iceauth_home_t:file read_file_perms;
@@ -27272,7 +27357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +283,58 @@
+@@ -250,30 +290,58 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -27334,7 +27419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +344,36 @@
+@@ -283,17 +351,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -27371,7 +27456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +385,31 @@
+@@ -305,20 +392,31 @@
# XDM Local policy
#
@@ -27406,7 +27491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -332,26 +423,45 @@
+@@ -332,26 +430,45 @@
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -27457,7 +27542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +469,13 @@
+@@ -359,10 +476,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -27471,7 +27556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +484,21 @@
+@@ -371,15 +491,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -27494,7 +27579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +513,13 @@
+@@ -394,11 +520,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -27508,7 +27593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +527,7 @@
+@@ -406,6 +534,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -27516,7 +27601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +536,22 @@
+@@ -414,18 +543,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -27542,7 +27627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +562,17 @@
+@@ -436,9 +569,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -27560,7 +27645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +581,19 @@
+@@ -447,14 +588,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -27580,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +604,12 @@
+@@ -465,10 +611,12 @@
logging_read_generic_logs(xdm_t)
@@ -27595,7 +27680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +618,11 @@
+@@ -477,6 +625,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -27607,7 +27692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +655,12 @@
+@@ -509,10 +662,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -27620,7 +27705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +668,50 @@
+@@ -520,12 +675,50 @@
')
optional_policy(`
@@ -27671,7 +27756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +729,59 @@
+@@ -543,20 +736,59 @@
')
optional_policy(`
@@ -27733,7 +27818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +790,6 @@
+@@ -565,7 +797,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -27741,7 +27826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +800,10 @@
+@@ -576,6 +807,10 @@
')
optional_policy(`
@@ -27752,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +828,9 @@
+@@ -600,10 +835,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -27764,7 +27849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +842,18 @@
+@@ -615,6 +849,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -27783,7 +27868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +873,19 @@
+@@ -634,12 +880,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -27805,7 +27890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +919,6 @@
+@@ -673,7 +926,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -27813,7 +27898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +928,12 @@
+@@ -683,9 +935,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -27827,7 +27912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +948,13 @@
+@@ -700,8 +955,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -27841,7 +27926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +976,14 @@
+@@ -723,11 +983,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -27856,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1035,24 @@
+@@ -779,12 +1042,24 @@
')
optional_policy(`
@@ -27882,7 +27967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1079,7 @@
+@@ -811,7 +1086,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -27891,7 +27976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1100,14 @@
+@@ -832,9 +1107,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27906,7 +27991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1122,14 @@
+@@ -849,11 +1129,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -27923,7 +28008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1275,33 @@
+@@ -999,3 +1282,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28372,7 +28457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-04-22 08:33:46.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -28623,7 +28708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-15 16:58:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-22 08:33:38.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29669,7 +29754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-04-22 08:29:10.000000000 -0400
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -29756,7 +29841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
# /sbin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-04-22 12:09:51.000000000 -0400
@@ -34,7 +34,7 @@
type lvm_exec_t;
')
@@ -29768,7 +29853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-04-22 12:11:19.000000000 -0400
@@ -142,6 +142,11 @@
')
@@ -29816,7 +29901,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -311,6 +320,11 @@
+@@ -264,6 +273,7 @@
+
+ mls_file_read_all_levels(lvm_t)
+ mls_file_write_to_clearance(lvm_t)
++mls_file_upgrade(lvm_t)
+
+ selinux_get_fs_mount(lvm_t)
+ selinux_validate_context(lvm_t)
+@@ -311,6 +321,11 @@
')
optional_policy(`
@@ -29828,7 +29921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,6 +345,10 @@
+@@ -331,6 +346,10 @@
')
optional_policy(`
@@ -32556,7 +32649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-20 12:26:39.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-22 11:53:25.000000000 -0400
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index daddb15..94a9ea1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,14 @@ exit 0
%endif
%changelog
+* Thu Apr 22 2010 Dan Walsh 3.7.19-5
+- Allow rlogind_t to search /root for .rhosts
+Resolves: #582760
+- Fix path for cached_var_t
+- Fix prelink paths /var/lib/prelink
+- Allow confined users to direct_dri
+- Allow mls lvm/cryptosetup to work
+
* Wed Apr 21 2010 Dan Walsh 3.7.19-4
- Allow virtd_t to manage firewall/iptables config
Resolves: #573585