From c490429294577da73d3f527a7c92c8cbe62ba44e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 13 2008 13:24:59 +0000 Subject: - Alow postgrey to read postfix_etc_t - Lots of fixes to get javaplugin to run under xguest --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 87a6159..e7840e7 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2946,7 +2946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-12-22 07:13:05.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-13 08:10:59.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -2956,16 +2956,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if gen_require(` type java_exec_t; ') -@@ -57,7 +57,7 @@ +@@ -57,11 +57,14 @@ # Local policy # - allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem }; -+ allow $1_javaplugin_t self:process { signal_perms getsched setsched execmem execstack }; ++ allow $1_javaplugin_t self:process { signal_perms getsched ptrace setsched execmem execstack }; allow $1_javaplugin_t self:fifo_file rw_fifo_file_perms; - allow $1_javaplugin_t self:tcp_socket create_socket_perms; +- allow $1_javaplugin_t self:tcp_socket create_socket_perms; ++ allow $1_javaplugin_t self:tcp_socket create_stream_socket_perms; allow $1_javaplugin_t self:udp_socket create_socket_perms; -@@ -81,8 +81,7 @@ + ++ allow $1_javaplugin_t $1_t:process signull; ++ allow $1_javaplugin_t $1_t:unix_stream_socket connectto; ++ allow $1_t $1_javaplugin_t:unix_stream_socket connectto; + allow $1_javaplugin_t $2:unix_stream_socket connectto; + allow $1_javaplugin_t $2:unix_stream_socket { read write }; + userdom_write_user_tmp_sockets($1,$1_javaplugin_t) +@@ -81,8 +84,7 @@ can_exec($1_javaplugin_t, java_exec_t) @@ -2975,7 +2983,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -@@ -166,6 +165,62 @@ +@@ -94,7 +96,7 @@ + kernel_read_system_state($1_javaplugin_t) + + # Search bin directory under javaplugin for javaplugin executable +- corecmd_search_bin($1_javaplugin_t) ++ corecmd_exec_bin($1_javaplugin_t) + + corenet_all_recvfrom_unlabeled($1_javaplugin_t) + corenet_all_recvfrom_netlabel($1_javaplugin_t) +@@ -107,10 +109,12 @@ + corenet_tcp_connect_all_ports($1_javaplugin_t) + corenet_sendrecv_all_client_packets($1_javaplugin_t) + ++ dev_list_sysfs($1_javaplugin_t) + dev_read_sound($1_javaplugin_t) + dev_write_sound($1_javaplugin_t) + dev_read_urand($1_javaplugin_t) + dev_read_rand($1_javaplugin_t) ++ dev_write_rand($1_javaplugin_t) + + files_read_etc_files($1_javaplugin_t) + files_read_usr_files($1_javaplugin_t) +@@ -122,6 +126,7 @@ + + fs_getattr_xattr_fs($1_javaplugin_t) + fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) ++ fs_getattr_tmpfs($1_javaplugin_t) + + libs_use_ld_so($1_javaplugin_t) + libs_use_shared_libs($1_javaplugin_t) +@@ -134,6 +139,10 @@ + + sysnet_read_config($1_javaplugin_t) + ++ userdom_manage_user_tmp_dirs($1,$1_javaplugin_t) ++ userdom_manage_user_tmp_files($1,$1_javaplugin_t) ++ userdom_manage_user_tmp_sockets($1,$1_javaplugin_t) ++ userdom_read_user_tmpfs_files($1,$1_javaplugin_t) + userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) + userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) + userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) +@@ -166,6 +175,62 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -3038,7 +3087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +274,66 @@ +@@ -219,3 +284,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -3280,7 +3329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-24 06:40:46.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-01-13 07:54:35.000000000 -0500 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -4291,7 +4340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-27 11:35:15.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2008-01-13 07:59:15.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -5087,7 +5136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-12-21 13:39:28.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-13 07:57:42.000000000 -0500 @@ -271,45 +271,6 @@ ######################################## @@ -5437,6 +5486,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts to list unlabeled directories. ## ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-10-22 13:21:42.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-01-11 15:14:27.000000000 -0500 +@@ -359,7 +359,7 @@ + + allow kern_unconfined proc_type:{ dir file lnk_file } *; + +-allow kern_unconfined sysctl_t:{ dir file } *; ++allow kern_unconfined sysctl_type:{ dir file } *; + + allow kern_unconfined kernel_t:system *; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-12-02 21:15:34.000000000 -0500 @@ -7816,7 +7877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-12-06 15:29:05.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2008-01-10 16:16:09.000000000 -0500 @@ -48,9 +48,8 @@ type hplip_t; type hplip_exec_t; @@ -7932,9 +7993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -221,17 +224,38 @@ +@@ -220,18 +223,41 @@ + seutil_read_config(cupsd_t) sysnet_read_config(cupsd_t) ++sysnet_exec_ifconfig(cupsd_t) +files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) @@ -7943,6 +8006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +lpd_read_config(cupsd_t) ++lpd_exec_lpr(cupsd_t) ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) @@ -7971,7 +8035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups apm_domtrans_client(cupsd_t) ') -@@ -263,16 +287,16 @@ +@@ -263,16 +289,16 @@ ') optional_policy(` @@ -7992,7 +8056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -331,6 +355,7 @@ +@@ -331,6 +357,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -8000,7 +8064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -377,6 +402,14 @@ +@@ -377,6 +404,14 @@ ') optional_policy(` @@ -8015,7 +8079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -393,6 +426,7 @@ +@@ -393,6 +428,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -8023,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -482,6 +516,8 @@ +@@ -482,6 +518,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -8032,7 +8096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -489,22 +525,12 @@ +@@ -489,22 +527,12 @@ miscfiles_read_localization(cupsd_lpd_t) @@ -8055,7 +8119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -522,14 +548,12 @@ +@@ -522,14 +550,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -8074,7 +8138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -560,7 +584,7 @@ +@@ -560,7 +586,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -8083,7 +8147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,7 +611,7 @@ +@@ -587,7 +613,7 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -8092,7 +8156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) -@@ -668,3 +692,15 @@ +@@ -668,3 +694,15 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -8216,7 +8280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-08 08:11:51.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-08 15:14:32.000000000 -0500 @@ -50,6 +50,12 @@ ## # @@ -8294,7 +8358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -236,11 +265,12 @@ +@@ -236,14 +265,16 @@ class dbus send_msg; ') @@ -8310,7 +8374,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; -@@ -271,6 +301,60 @@ ++ userdom_dontaudit_write_user_home_content_files($1_dbusd_t) + ') + + ######################################## +@@ -271,6 +302,60 @@ allow $2 $1_dbusd_t:dbus send_msg; ') @@ -8371,7 +8439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ######################################## ## ## Read dbus configuration. -@@ -286,6 +370,7 @@ +@@ -286,6 +371,7 @@ type dbusd_etc_t; ') @@ -8379,7 +8447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1 dbusd_etc_t:file read_file_perms; ') -@@ -346,3 +431,55 @@ +@@ -346,3 +432,55 @@ allow $1 system_dbusd_t:dbus *; ') @@ -10022,7 +10090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-27 11:44:18.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-01-11 14:43:52.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -10063,23 +10131,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### -@@ -226,6 +223,15 @@ - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_mail_t) +@@ -228,6 +225,11 @@ fs_manage_cifs_symlinks($1_mail_t) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) -+ ') -+ + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_mail_t) + fs_manage_nfs_symlinks($1_mail_t) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) - ') - ++ ') ++ optional_policy(` -@@ -314,6 +320,42 @@ + allow $1_mail_t self:capability dac_override; + +@@ -314,6 +316,42 @@ ######################################## ## @@ -10122,7 +10186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -392,11 +434,13 @@ +@@ -392,11 +430,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -10136,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -431,6 +475,7 @@ +@@ -431,6 +471,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) @@ -10144,7 +10208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ') -@@ -447,20 +492,18 @@ +@@ -447,20 +488,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -10171,7 +10235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -595,6 +638,25 @@ +@@ -595,6 +634,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -10197,7 +10261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### ## -@@ -901,3 +963,23 @@ +@@ -901,3 +959,23 @@ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -10223,8 +10287,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-12-02 21:15:34.000000000 -0500 -@@ -6,6 +6,8 @@ ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-11 14:43:25.000000000 -0500 +@@ -1,11 +1,13 @@ + +-policy_module(mta,1.7.1) ++policy_module(mta,1.9.0) + + ######################################## + # # Declarations # @@ -10302,7 +10372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,6 +158,14 @@ +@@ -136,11 +158,30 @@ ') optional_policy(` @@ -10317,6 +10387,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') +-# should break this up among sections: ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(mailserver_delivery) ++ fs_manage_cifs_files(mailserver_delivery) ++ fs_manage_cifs_symlinks(mailserver_delivery) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(mailserver_delivery) ++ fs_manage_nfs_files(mailserver_delivery) ++ fs_manage_nfs_symlinks(mailserver_delivery) ++') + ++# should break this up among sections: + optional_policy(` + # why is mail delivered to a directory of type arpwatch_data_t? + arpwatch_search_data(mailserver_delivery) +@@ -154,3 +195,4 @@ + cron_read_system_job_tmp_files(mta_user_agent) + ') + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.0.8/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/munin.fc 2007-12-26 20:33:19.000000000 -0500 @@ -11884,7 +11976,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2007-12-06 11:06:50.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-01-08 16:14:31.000000000 -0500 +@@ -24,7 +24,7 @@ + # Local policy + # + +-allow postgrey_t self:capability { chown setgid setuid }; ++allow postgrey_t self:capability { chown dac_override setgid setuid }; + dontaudit postgrey_t self:capability sys_tty_config; + allow postgrey_t self:process signal_perms; + allow postgrey_t self:tcp_socket create_stream_socket_perms; @@ -68,6 +68,8 @@ fs_getattr_all_fs(postgrey_t) fs_search_auto_mountpoints(postgrey_t) @@ -11894,7 +11995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post libs_use_ld_so(postgrey_t) libs_use_shared_libs(postgrey_t) -@@ -75,13 +77,11 @@ +@@ -75,13 +77,12 @@ miscfiles_read_localization(postgrey_t) @@ -11905,6 +12006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` - nis_use_ypbind(postgrey_t) ++ postfix_read_config(postgrey_t) + postfix_read_spool_files(postgrey_t) ') @@ -15890,7 +15992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-12-06 10:38:14.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-08 15:36:56.000000000 -0500 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -15941,12 +16043,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) -@@ -111,19 +129,14 @@ +@@ -111,19 +129,15 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) +userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) ++userdom_dontaudit_write_user_home_content_files(pam_t) +userdom_unlink_unpriv_users_tmp_files(pam_t) optional_policy(` @@ -15964,7 +16067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM console local policy -@@ -149,6 +162,8 @@ +@@ -149,6 +163,8 @@ dev_setattr_apm_bios_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) @@ -15973,7 +16076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_framebuffer_dev(pam_console_t) dev_setattr_framebuffer_dev(pam_console_t) dev_getattr_generic_usb_dev(pam_console_t) -@@ -159,6 +174,8 @@ +@@ -159,6 +175,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -15982,7 +16085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -200,6 +217,7 @@ +@@ -200,6 +218,7 @@ fs_list_auto_mountpoints(pam_console_t) fs_list_noxattr_fs(pam_console_t) @@ -15990,7 +16093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_use_fds(pam_console_t) init_use_script_ptys(pam_console_t) -@@ -236,7 +254,7 @@ +@@ -236,7 +255,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -15999,7 +16102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -256,6 +274,7 @@ +@@ -256,6 +275,7 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) @@ -16007,7 +16110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # -@@ -302,3 +321,28 @@ +@@ -302,3 +322,28 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -19591,7 +19694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-07 13:07:55.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-08 15:13:25.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -22051,8 +22154,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-12-21 14:05:50.000000000 -0500 -@@ -0,0 +1,55 @@ ++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2008-01-13 08:07:37.000000000 -0500 +@@ -0,0 +1,62 @@ +policy_module(xguest,1.0.1) + +## @@ -22078,7 +22181,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. + +userdom_restricted_xwindows_user_template(xguest) + -+mozilla_per_role_template(xguest, xguest_t, xguest_r) ++optional_policy(` ++ gen_require(` ++ type xguest_mozilla_t; ++ ') ++ mozilla_per_role_template(xguest, xguest_t, xguest_r) ++ dbus_user_bus_client_template(xguest,xguest_mozilla,xguest_mozilla_t) ++ dbus_connectto_user_bus(xguest,xguest_mozilla_t) ++') + +# Allow mounting of file systems +optional_policy(`