diff --git a/policy-20080710.patch b/policy-20080710.patch index f655f2c..ee95960 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -492,6 +492,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.5.1 # No MLS restrictions: x_drawable { show hide override } +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.13/policy/modules/admin/alsa.te +--- nsaserefpolicy/policy/modules/admin/alsa.te 2008-10-17 14:49:14.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/admin/alsa.te 2009-03-05 13:26:46.000000000 +0100 +@@ -43,6 +43,7 @@ + + dev_read_sound(alsa_t) + dev_write_sound(alsa_t) ++dev_read_sysfs(alsa_t) + + corecmd_exec_bin(alsa_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.13/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-17 14:49:14.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te 2009-02-10 15:07:15.000000000 +0100 @@ -10816,7 +10827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-26 15:55:33.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-02-27 09:31:08.000000000 +0100 @@ -1,16 +1,18 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -14198,7 +14209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/cron.te 2009-03-05 13:23:48.000000000 +0100 @@ -12,14 +12,6 @@ ## @@ -14284,11 +14295,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -142,13 +147,16 @@ +@@ -142,13 +147,17 @@ files_search_default(crond_t) init_rw_utmp(crond_t) -+init_spec_domtrans_script(crond_t) ++#init_spec_domtrans_script(crond_t) ++init_domtrans_script(system_crond_t) auth_use_nsswitch(crond_t) @@ -14301,7 +14313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -161,6 +169,7 @@ +@@ -161,6 +170,7 @@ userdom_list_all_users_home_dirs(crond_t) mta_send_mail(crond_t) @@ -14309,7 +14321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` # pam_limits is used -@@ -180,21 +189,45 @@ +@@ -180,21 +190,45 @@ ') ') @@ -14356,7 +14368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -236,6 +269,9 @@ +@@ -236,6 +270,9 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t, cron_var_lib_t, file) @@ -14366,7 +14378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow system_crond_t system_cron_spool_t:file read_file_perms; # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are -@@ -267,9 +303,13 @@ +@@ -267,9 +304,13 @@ filetrans_pattern(system_crond_t, crond_tmp_t, system_crond_tmp_t, { file lnk_file }) files_tmp_filetrans(system_crond_t, system_crond_tmp_t, file) @@ -14381,7 +14393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -323,7 +363,8 @@ +@@ -323,7 +364,8 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -14391,7 +14403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron auth_use_nsswitch(system_crond_t) -@@ -333,6 +374,7 @@ +@@ -333,6 +375,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -14399,7 +14411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -348,18 +390,6 @@ +@@ -348,18 +391,6 @@ ') ') @@ -14418,7 +14430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) -@@ -383,11 +413,20 @@ +@@ -383,11 +414,20 @@ ') optional_policy(` @@ -14439,7 +14451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -415,8 +454,7 @@ +@@ -415,8 +455,7 @@ ') optional_policy(` @@ -14449,7 +14461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -424,15 +462,12 @@ +@@ -424,15 +463,12 @@ ') optional_policy(` @@ -16809,7 +16821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-02-18 14:36:11.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-03-05 13:32:40.000000000 +0100 @@ -26,7 +26,7 @@ ## ##

@@ -16854,7 +16866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) -@@ -226,8 +236,15 @@ +@@ -226,8 +236,16 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -16865,12 +16877,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + auth_read_all_symlinks_except_shadow(ftpd_t) ') -+unprivuser_home_dir_filetrans_home_content(ftpd_t, { file dir lnk_file }) ++# Needed for permissive mode, to make sure everything gets labeled correctly ++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) -@@ -238,6 +255,11 @@ +@@ -238,6 +256,11 @@ fs_read_cifs_symlinks(ftpd_t) ') @@ -16882,7 +16895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. optional_policy(` tunable_policy(`ftp_home_dir',` apache_search_sys_content(ftpd_t) -@@ -245,6 +267,18 @@ +@@ -245,6 +268,18 @@ ') optional_policy(` @@ -16901,7 +16914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) -@@ -261,7 +295,9 @@ +@@ -261,7 +296,9 @@ ') optional_policy(` @@ -16912,7 +16925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -@@ -273,6 +309,14 @@ +@@ -273,6 +310,14 @@ ') optional_policy(` @@ -20351,9 +20364,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads +optional_policy(` + prelude_manage_spool(pads_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.5.13/policy/modules/services/pcscd.fc +--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-10-17 14:49:11.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/pcscd.fc 2009-03-05 13:06:23.000000000 +0100 +@@ -1,4 +1,5 @@ + /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) ++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2009-03-05 13:00:11.000000000 +0100 @@ -10,6 +10,7 @@ type pcscd_exec_t; domain_type(pcscd_t) @@ -20362,7 +20384,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc # pid files type pcscd_var_run_t; -@@ -60,6 +61,14 @@ +@@ -27,9 +28,10 @@ + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file }) ++files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file dir sock_file }) + + corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) +@@ -60,6 +62,14 @@ sysnet_dns_name_resolve(pcscd_t) optional_policy(` @@ -22097,7 +22131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2009-03-05 13:42:04.000000000 +0100 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -22106,7 +22140,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post can_exec(postfix_$1_t, postfix_$1_exec_t) -@@ -211,9 +212,8 @@ +@@ -78,6 +79,7 @@ + files_read_etc_runtime_files(postfix_$1_t) + files_read_usr_symlinks(postfix_$1_t) + files_search_spool(postfix_$1_t) ++ files_search_all_mountpoints(postfix_$1_t) + files_getattr_tmp_dirs(postfix_$1_t) + + init_dontaudit_use_fds(postfix_$1_t) +@@ -211,9 +213,8 @@ type postfix_etc_t; ') @@ -22118,7 +22160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_etc($1) ') -@@ -267,6 +267,25 @@ +@@ -267,6 +268,25 @@ dontaudit $1 postfix_local_t:tcp_socket { read write }; ') @@ -22144,7 +22186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ##

## Allow domain to read postfix local process state -@@ -421,7 +440,7 @@ +@@ -421,7 +441,7 @@ ## ## # @@ -22153,7 +22195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -432,6 +451,25 @@ +@@ -432,6 +452,25 @@ ######################################## ## @@ -22179,7 +22221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -461,10 +499,10 @@ +@@ -461,10 +500,10 @@ # interface(`postfix_search_spool',` gen_require(` @@ -22192,7 +22234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -480,15 +518,34 @@ +@@ -480,15 +519,34 @@ # interface(`postfix_list_spool',` gen_require(` @@ -22229,7 +22271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Read postfix mail spool files. ## ## -@@ -499,11 +556,30 @@ +@@ -499,11 +557,30 @@ # interface(`postfix_read_spool_files',` gen_require(` @@ -22262,7 +22304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -524,3 +600,23 @@ +@@ -524,3 +601,23 @@ typeattribute $1 postfix_user_domtrans; ') @@ -23023,7 +23065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2009-03-05 13:10:12.000000000 +0100 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -23044,7 +23086,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) kernel_rw_net_sysctls(pppd_t) -@@ -197,6 +199,8 @@ +@@ -161,6 +163,7 @@ + + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) ++init_signal_script(pppd_t) + + auth_use_nsswitch(pppd_t) + +@@ -197,6 +200,8 @@ optional_policy(` mta_send_mail(pppd_t) @@ -23053,7 +23103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -220,7 +224,7 @@ +@@ -220,7 +225,7 @@ # PPTP Local policy # @@ -23062,7 +23112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; allow pptp_t self:fifo_file rw_fifo_file_perms; -@@ -228,14 +232,16 @@ +@@ -228,14 +233,16 @@ allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow pptp_t self:rawip_socket create_socket_perms; allow pptp_t self:tcp_socket create_socket_perms; @@ -23081,7 +23131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. can_exec(pptp_t, pppd_etc_rw_t) # Allow pptp to append to pppd log files -@@ -251,9 +257,13 @@ +@@ -251,9 +258,13 @@ kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) kernel_read_proc_symlinks(pptp_t) @@ -23095,7 +23145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. corenet_all_recvfrom_unlabeled(pptp_t) corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_all_if(pptp_t) -@@ -269,12 +279,16 @@ +@@ -269,12 +280,16 @@ fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) @@ -23112,7 +23162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. libs_use_ld_so(pptp_t) libs_use_shared_libs(pptp_t) -@@ -282,7 +296,7 @@ +@@ -282,7 +297,7 @@ miscfiles_read_localization(pptp_t) @@ -23121,7 +23171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -293,11 +307,15 @@ +@@ -293,11 +308,15 @@ ') optional_policy(` @@ -23139,7 +23189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -311,6 +329,3 @@ +@@ -311,6 +330,3 @@ optional_policy(` postfix_read_config(pppd_t) ') @@ -32215,7 +32265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-02-19 09:45:25.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-03-05 13:40:41.000000000 +0100 @@ -60,12 +60,15 @@ # # /opt @@ -32361,7 +32411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,6 +333,28 @@ +@@ -307,6 +333,33 @@ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') @@ -32390,6 +32440,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/Komodo/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2009-02-10 15:07:15.000000000 +0100 @@ -35403,7 +35458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-18 10:13:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-03-05 13:30:03.000000000 +0100 @@ -28,10 +28,14 @@ class context contains; ') @@ -36796,7 +36851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1993,11 +1994,47 @@ +@@ -1993,11 +1994,72 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -36812,6 +36867,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the user home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`userdom_user_home_dir_filetrans_pattern',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ ') ++ ++ type_transition $1 user_home_dir_t:$2 user_home_t; ++') ++ ++######################################## ++## +## dontaudit attemps to Create files +## in a user home subdirectory. +## @@ -36846,7 +36926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2029,10 +2066,10 @@ +@@ -2029,10 +2091,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -36859,7 +36939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2062,11 +2099,11 @@ +@@ -2062,11 +2124,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -36873,7 +36953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2096,11 +2133,11 @@ +@@ -2096,11 +2158,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36888,7 +36968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2130,10 +2167,14 @@ +@@ -2130,10 +2192,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -36905,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2163,11 +2204,11 @@ +@@ -2163,11 +2229,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -36919,7 +36999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2197,11 +2238,11 @@ +@@ -2197,11 +2263,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -36933,7 +37013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2231,10 +2272,37 @@ +@@ -2231,10 +2297,37 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -36973,7 +37053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2266,12 +2334,12 @@ +@@ -2266,12 +2359,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -36989,7 +37069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2303,10 +2371,10 @@ +@@ -2303,10 +2396,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -37002,7 +37082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2338,12 +2406,12 @@ +@@ -2338,12 +2431,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -37018,7 +37098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2375,12 +2443,12 @@ +@@ -2375,12 +2468,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -37034,7 +37114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2412,12 +2480,12 @@ +@@ -2412,12 +2505,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -37050,7 +37130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2462,11 +2530,11 @@ +@@ -2462,11 +2555,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -37064,7 +37144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2511,11 +2579,11 @@ +@@ -2511,11 +2604,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -37078,7 +37158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2555,11 +2623,11 @@ +@@ -2555,11 +2648,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -37092,7 +37172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2589,11 +2657,11 @@ +@@ -2589,11 +2682,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -37106,7 +37186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2623,11 +2691,11 @@ +@@ -2623,11 +2716,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -37120,7 +37200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2659,10 +2727,10 @@ +@@ -2659,10 +2752,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -37133,7 +37213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2694,10 +2762,10 @@ +@@ -2694,10 +2787,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -37146,7 +37226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2727,12 +2795,12 @@ +@@ -2727,12 +2820,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -37162,7 +37242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2764,10 +2832,10 @@ +@@ -2764,10 +2857,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -37175,7 +37255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2799,10 +2867,10 @@ +@@ -2799,10 +2892,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -37188,7 +37268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2832,12 +2900,12 @@ +@@ -2832,12 +2925,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -37204,7 +37284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2869,10 +2937,10 @@ +@@ -2869,10 +2962,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -37217,7 +37297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2904,12 +2972,12 @@ +@@ -2904,12 +2997,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -37233,7 +37313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2941,11 +3009,11 @@ +@@ -2941,11 +3034,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -37247,7 +37327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2977,11 +3045,11 @@ +@@ -2977,11 +3070,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -37261,7 +37341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3013,11 +3081,11 @@ +@@ -3013,11 +3106,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -37275,7 +37355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3049,11 +3117,11 @@ +@@ -3049,11 +3142,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -37289,7 +37369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3085,11 +3153,11 @@ +@@ -3085,11 +3178,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -37303,7 +37383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3134,10 +3202,10 @@ +@@ -3134,10 +3227,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -37316,7 +37396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3178,19 +3246,19 @@ +@@ -3178,19 +3271,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -37340,7 +37420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3211,13 +3279,13 @@ +@@ -3211,13 +3304,13 @@ # template(`userdom_rw_user_tmpfs_files',` gen_require(` @@ -37358,7 +37438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4616,11 +4684,11 @@ +@@ -4616,11 +4709,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -37372,7 +37452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4640,6 +4708,14 @@ +@@ -4640,6 +4733,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -37387,7 +37467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4677,6 +4753,8 @@ +@@ -4677,6 +4778,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -37396,7 +37476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4721,6 +4799,25 @@ +@@ -4721,6 +4824,25 @@ ######################################## ##

@@ -37422,7 +37502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5043,7 @@ +@@ -4946,7 +5068,7 @@ ######################################## ## @@ -37431,7 +37511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5318,7 +5415,7 @@ +@@ -5318,7 +5440,7 @@ ######################################## ## @@ -37440,7 +37520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5326,18 +5423,17 @@ +@@ -5326,18 +5448,17 @@ ## ## # @@ -37463,7 +37543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5345,17 +5441,17 @@ +@@ -5345,17 +5466,54 @@ ## ## # @@ -37482,49 +37562,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## -## Read the process state of all user domains. +## Read and write unprivileged user ttys. - ## - ## - ## -@@ -5363,18 +5459,18 @@ - ## - ## - # --interface(`userdom_read_all_users_state',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_use_unpriv_users_ttys',` - gen_require(` -- attribute userdomain; -+ attribute user_ttynode; - ') - -- read_files_pattern($1,userdomain,userdomain) -- kernel_search_proc($1) -+ allow $1 user_ttynode:chr_file rw_term_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to use unprivileged -+## user ttys. - ## - ## - ## -@@ -5382,7 +5478,44 @@ - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_use_unpriv_users_ttys',` + gen_require(` + attribute user_ttynode; + ') + -+ dontaudit $1 user_ttynode:chr_file rw_file_perms; ++ allow $1 user_ttynode:chr_file rw_term_perms; +') + +######################################## +## -+## Read the process state of all user domains. ++## Do not audit attempts to use unprivileged ++## user ttys. +## +## +## @@ -37532,30 +37588,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_use_unpriv_users_ttys',` + gen_require(` -+ attribute userdomain; ++ attribute user_ttynode; + ') + -+ ps_process_pattern($1, userdomain) -+ kernel_search_proc($1) ++ dontaudit $1 user_ttynode:chr_file rw_file_perms; +') + +######################################## +## -+## Get the attributes of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` - gen_require(` ++## Read the process state of all user domains. + ## + ## + ## +@@ -5368,7 +5526,7 @@ attribute userdomain; ') -@@ -5447,6 +5580,24 @@ + +- read_files_pattern($1,userdomain,userdomain) ++ ps_process_pattern($1, userdomain) + kernel_search_proc($1) + ') + +@@ -5447,6 +5605,24 @@ ######################################## ## @@ -37580,7 +37636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a SIGCHLD signal to all user domains. ## ## -@@ -5483,6 +5634,42 @@ +@@ -5483,6 +5659,42 @@ ######################################## ## @@ -37623,7 +37679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5700,622 @@ +@@ -5513,3 +5725,622 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')