diff --git a/policy-20070703.patch b/policy-20070703.patch index 92c5d60..4fc6957 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1812,7 +1812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te files_search_var(mrtg_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:37:55.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2008-06-12 23:37:59.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2008-07-02 17:05:40.000000000 -0400 @@ -40,7 +40,7 @@ allow netutils_t self:capability { net_admin net_raw setuid setgid }; dontaudit netutils_t self:capability sys_tty_config; @@ -1871,18 +1871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil nis_use_ypbind(ping_t) ') -@@ -151,6 +170,10 @@ - ') - - optional_policy(` -+ munin_append_logs(ping_t) -+') -+ -+optional_policy(` - pcmcia_use_cardmgr_fds(ping_t) - ') - -@@ -166,7 +189,7 @@ +@@ -166,7 +185,7 @@ allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; @@ -9656,7 +9645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`distro_redhat',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-06-12 23:37:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-06-12 23:37:58.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-07-02 17:15:03.000000000 -0400 @@ -50,6 +50,12 @@ ## # @@ -9754,7 +9743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; -+ userdom_dontaudit_write_user_home_content_files($1_dbusd_t) ++ userdom_dontaudit_write_user_home_content_files($1, $1_dbusd_t) ') ######################################## @@ -22847,7 +22836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-06-12 23:37:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2008-06-12 23:37:59.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2008-07-02 17:10:48.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -23444,7 +23433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:37:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-06-27 07:07:05.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-07-02 17:13:24.000000000 -0400 @@ -29,8 +29,9 @@ ') @@ -24450,9 +24439,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2034,6 +2161,10 @@ - ') - +@@ -2029,11 +2156,11 @@ + ## + # + template(`userdom_dontaudit_write_user_home_content_files',` +- gen_require(` +- type $1_home_t; +- ') +- dontaudit $2 $1_home_t:file write; + fs_dontaudit_list_nfs($2) + fs_dontaudit_rw_nfs_files($2) @@ -24461,7 +24455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2066,7 +2197,7 @@ +@@ -2066,7 +2193,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24470,7 +24464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2100,7 +2231,7 @@ +@@ -2100,7 +2227,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24479,7 +24473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2169,7 +2300,7 @@ +@@ -2169,7 +2296,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24488,7 +24482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2241,7 +2372,7 @@ +@@ -2241,7 +2368,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24497,7 +24491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_lnk_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2278,7 +2409,7 @@ +@@ -2278,7 +2405,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24506,7 +24500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_fifo_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2315,7 +2446,7 @@ +@@ -2315,7 +2442,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24515,7 +24509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_sock_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2365,7 +2496,7 @@ +@@ -2365,7 +2492,7 @@ type $1_home_dir_t; ') @@ -24524,7 +24518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_dir_t,$3,$4) ') -@@ -2414,7 +2545,7 @@ +@@ -2414,7 +2541,7 @@ type $1_home_t; ') @@ -24533,7 +24527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_t,$3,$4) ') -@@ -2458,7 +2589,7 @@ +@@ -2458,7 +2585,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -24542,7 +24536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) ') -@@ -2994,6 +3125,25 @@ +@@ -2994,6 +3121,25 @@ ######################################## ## @@ -24568,7 +24562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. -@@ -3078,7 +3228,7 @@ +@@ -3078,7 +3224,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -24577,7 +24571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -3086,11 +3236,11 @@ +@@ -3086,11 +3232,11 @@ ######################################## ## @@ -24591,7 +24585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3122,6 +3272,42 @@ +@@ -3122,6 +3268,42 @@ ######################################## ##

@@ -24634,7 +24628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## List users untrusted directories. ## ## -@@ -4089,7 +4275,7 @@ +@@ -4089,7 +4271,7 @@ type staff_home_dir_t; ') @@ -24643,7 +24637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir search_dir_perms; ') -@@ -4128,7 +4314,7 @@ +@@ -4128,7 +4310,7 @@ type staff_home_dir_t; ') @@ -24652,7 +24646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir manage_dir_perms; ') -@@ -4147,7 +4333,7 @@ +@@ -4147,7 +4329,7 @@ type staff_home_dir_t; ') @@ -24661,7 +24655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir relabelto; ') -@@ -4185,7 +4371,7 @@ +@@ -4185,7 +4367,7 @@ type staff_home_dir_t, staff_home_t; ') @@ -24670,7 +24664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) -@@ -4410,6 +4596,7 @@ +@@ -4410,6 +4592,7 @@ ') dontaudit $1 sysadm_home_dir_t:dir getattr; @@ -24678,7 +24672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4444,9 +4631,11 @@ +@@ -4444,9 +4627,11 @@ interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; @@ -24690,7 +24684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4570,10 +4759,11 @@ +@@ -4570,10 +4755,11 @@ type sysadm_home_dir_t, sysadm_home_t; ') @@ -24703,7 +24697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4609,11 +4799,29 @@ +@@ -4609,11 +4795,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -24734,7 +24728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4841,14 @@ +@@ -4633,6 +4837,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -24749,7 +24743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,6 +4886,8 @@ +@@ -4670,6 +4882,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -24758,7 +24752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4895,7 +5113,7 @@ +@@ -4895,7 +5109,7 @@ type user_home_dir_t, user_home_t; ') @@ -24767,7 +24761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($1,user_home_dir_t,user_home_t,$2) ') -@@ -4933,7 +5151,7 @@ +@@ -4933,7 +5147,7 @@ type user_home_dir_t; ') @@ -24776,7 +24770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_t:dir manage_dir_perms; ') -@@ -4954,7 +5172,7 @@ +@@ -4954,7 +5168,7 @@ type user_home_t; ') @@ -24785,7 +24779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -4973,7 +5191,7 @@ +@@ -4973,7 +5187,7 @@ type staff_home_dir_t; ') @@ -24794,7 +24788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_t:dir relabelto; ') -@@ -4992,7 +5210,7 @@ +@@ -4992,7 +5206,7 @@ type user_home_t, user_home_dir_t; ') @@ -24803,7 +24797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_t:dir list_dir_perms; read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5013,7 +5231,7 @@ +@@ -5013,7 +5227,7 @@ type user_home_t; ') @@ -24812,7 +24806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_t:file execute; ') -@@ -5033,7 +5251,7 @@ +@@ -5033,7 +5247,7 @@ type user_home_dir_t, user_home_t; ') @@ -24821,7 +24815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5072,7 +5290,7 @@ +@@ -5072,7 +5286,7 @@ type user_home_t; ') @@ -24830,7 +24824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5092,7 +5310,7 @@ +@@ -5092,7 +5306,7 @@ type user_home_t; ') @@ -24839,7 +24833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5112,7 +5330,7 @@ +@@ -5112,7 +5326,7 @@ type user_home_t; ') @@ -24848,7 +24842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5131,7 +5349,7 @@ +@@ -5131,7 +5345,7 @@ attribute user_home_dir_type; ') @@ -24857,7 +24851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_type:dir search_dir_perms; ') -@@ -5151,7 +5369,7 @@ +@@ -5151,7 +5365,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -24866,7 +24860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_type:dir list_dir_perms; read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) -@@ -5173,7 +5391,7 @@ +@@ -5173,7 +5387,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -24875,7 +24869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') -@@ -5193,7 +5411,7 @@ +@@ -5193,7 +5407,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -24884,7 +24878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') -@@ -5323,7 +5541,7 @@ +@@ -5323,7 +5537,7 @@ attribute user_tmpfile; ') @@ -24893,7 +24887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5346,6 +5564,25 @@ +@@ -5346,6 +5560,25 @@ ######################################## ## @@ -24919,7 +24913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all unprivileged users files in /tmp ## ## -@@ -5529,6 +5766,24 @@ +@@ -5529,6 +5762,24 @@ ######################################## ## @@ -24944,7 +24938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5814,420 @@ +@@ -5559,3 +5810,420 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')