diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/Makefile
--- nsaserefpolicy/Makefile 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/Makefile 2010-05-28 09:41:59.942610848 +0200
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.7.19/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/man/man8/ftpd_selinux.8 2010-09-09 15:08:15.357085367 +0200
@@ -15,7 +15,7 @@
semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
.TP
.B
-restorecon -R -v /var/ftp
+restorecon -F -R -v /var/ftp
.TP
Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
.PP
@@ -23,7 +23,7 @@
semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
.TP
.B
-restorecon -R -v /var/ftp/incoming
+restorecon -F -R -v /var/ftp/incoming
.SH BOOLEANS
.PP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200
@@ -61,15 +61,6 @@
##
-## Allow email client to various content.
-## nfs, samba, removable devices, and user temp
-## files
-##
## Allow any files/directories to be exported read/write via NFS.
##
+## Allow direct login to the console device. Required for System 390 +##
+##+## Allow certain domains to map low memory in the kernel +##
+##+## Allow ncftool to read user content. +##
+##+## This template creates a derived domains which are used +## for execmem applications. +##
+##@@ -14,12 +15,21 @@ ##
+## Allow gpg web domain to modify public files +## used for public file transfer services. +##
+##+## Allow the Irssi IRC Client to connect to any port, +## and to bind to any unreserved port. +##
+##+## Execute a mozilla_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Execute a mplayer_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## This template creates a derived domains which are used +## for nsplugin web browser. +##
+##+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##
+##+## Execute a nsplugin_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Allow nsplugin code to execmem/execstack +##
+##+## Allow nsplugin code to connect to unreserved ports +##
+##+## This template creates a derived domains which are used +## for java applications. +##
+##+## Execute a openoffice_exec_t +## in the specified domain. +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified +## domain. +##
+##+## Allow the Telepathy connection managers +## to connect to any generic TCP port. +##
+##+## This template creates a derived domains which are used +## for consolehelper applications. +##
+##+## Ignore wine mmap_zero errors +##
+##+## Allow all domains to use other domains file descriptors +##
+##+## Allow all domains to have the kernel load modules +##
+##+## Allow shared library text relocations in tmp files. +##
+##+## This is added to support java policy. +##
+##+## Create a core file in /, +##
+##+## Create a default_t direcrory +##
+##+## Allow the specified domain to request that the kernel +## load a kernel module. An example of this is the +## auto-loading of network drivers when doing an +## ioctl() on a network interface. +##
+##+## In the specific case of a module loading request +## on a network interface, the domain will also +## need the net_admin capability. +##
+##+## Change from the unconfineduser role to +## the specified role. +##
+##+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Allow unconfined to execute the specified program in +## the specified domain. +##
+##+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Allow unconfined to execute the specified program in +## the specified domain. Allow the specified domain the +## unconfined role and use of unconfined user terminals. +##
+##+## This is a interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##
+##+## Do not audit attempts to read or write +## unconfined domain tcp sockets. +##
+##+## This interface was added due to a broken +## symptom in ldconfig. +##
+##+## Do not audit attempts to read or write +## unconfined domain packet sockets. +##
+##+## This interface was added due to a broken +## symptom. +##
+##+## Transition to confined nsplugin domains from unconfined user +##
+##+## Allow a user to login as an unconfined domain +##
+##+## Transition to confined qemu domains from unconfined user +##
+##+## Ignore wine mmap_zero errors +##
+##-## Allow xguest to configure Network Manager +## Allow xguest to configure Network Manager and connect to apache ports ##
##+## Allow ABRT to modify public files +## used for public file transfer services. +##
+#### Allow Apache to modify public files ## used for public file transfer services. Directories/Files must -## be labeled public_content_rw_t. +## be labeled public_rw_content_t. ##
##+## Allow httpd scripts and modules execmem/execstack +##
+#### Allow httpd to use built in scripting (usually php) ##
##+## Allow HTTPD scripts and modules to connect to cobbler over the network. +##
+#### Allow HTTPD scripts and modules to connect to databases over the network. ##
##+## Allow httpd to connect to memcache server +##
+#### Allow httpd to act as a relay ##
##+## Allow http daemon to check spam +##
+#### Allow Apache to communicate with avahi service via dbus ##
##+## Allow httpd to read user content +##
+##+## Allow httpd daemon to change system limits +##
+#### Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##
##+## Allow Apache to execute tmp content. +##
+##
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
@@ -131,7 +182,7 @@
##
-## Allow httpd to run gpg
+## Allow httpd to run gpg in gpg-web domain
##
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t. +##
+##+## Allow Apache to use mod_auth_pam +##
+##+## Allow clamd to use JIT compiler +##
+##+## Allow Cobbler to connect to the +## network using TCP. +##
+##+## DenyHosts is a script intended to be run by Linux +## system administrators to help thwart SSH server attacks +## (also known as dictionary based attacks and brute force +## attacks). +##
+##+## Allow ftp servers to use connect to mysql database +##
+#### Allow ftp to read and write files in the user home directories ##
##+## Allow anon internal-sftp to upload files, used for +## public file transfer services. Directories must be labeled +## public_content_rw_t. +##
+##+## Allow sftp-internal to login to local users and +## read/write all files on the system, governed by DAC. +##
+##+## Allow interlnal-sftp to read and write files +## in the user ssh home directories. +##
+##+## Allow sftp-internal to read and write files +## in the user home directories +##
+##+## A really simple TCP git daemon that normally listens on +## port DEFAULT_GIT_PORT aka 9418. It waits for a +## connection asking for a service, and will serve that +## service if it is enabled. +##
+##+## Allow Git daemon system to search home directories. +##
+##+## Allow Git daemon system to access cifs file systems. +##
+##+## Allow Git daemon system to access nfs file systems. +##
+##+## Allow Git daemon session to bind +## tcp sockets to all unreserved ports. +##
+##+## Allow icecast to connect to all ports, not just +## sound ports. +##
+##+## Allow fenced domain to connect to the network using TCP. +##
+##+## Allow confined applications to use nscd shared memory. +##
+##+## Allow piranha-lvs domain to connect to the network using TCP. +##
+##+## Allow postfix_local domain full write access to mail_spool directories +## +##
+##+## Allow rgmanager domain to connect to the network using TCP. +##
+##+## Allow fenced domain to connect to the network using TCP. +##
+##+## Allow rsync to run as a client +##
+#### Allow rsync to export any files/directories read only. ##
##+## Allow samba to export ntfs/fusefs volumes. +##
+##+## Allow squid to run as a transparent proxy (TPROXY) +##
+##+## Allow virtual machine to interact with the xserver +##
+#### Allow virt to use usb devices ##
##+## Allows XServer to execute writable memory +##
+#### Allow xdm logins as sysadm ##
##+## Allow regular users direct dri device access +##
+##+## Execute a init script in a specified role +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Allow all daemons the ability to read/write terminals +##
+##+## Allow all daemons to write corefiles to / +##
+##+## Make the specified type usable for cert files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## cert management tools. +##
+##+## Related interfaces: +##
+##+## Example: +##
+##+## type mycertfile_t; +## cert_type(mycertfile_t) +## allow mydomain_t mycertfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +##
+##+## Execute dhclient script in a specified role +##
+##+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##
+##+## Allow dhcpc client applications to execute iptables commands +##
+##-## Allow unconfined to execute the specified program in -## the specified domain. -##
-##-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##
-##-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##
-##-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##
-##-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##
-##-## This interface was added due to a broken -## symptom in ldconfig. -##
-##-## Allow users to read system messages. +## Allow user to r/w files on filesystems +## that do not have extended attributes (FAT, CDROM, FLOPPY) ##
##-## Allow user to r/w files on filesystems -## that do not have extended attributes (FAT, CDROM, FLOPPY) +## Allow user processes to change their priority ##
##
@@ -54,11 +54,20 @@
# all user domains
attribute userdomain;
+attribute userhomereader;
+attribute userhomewriter;
+
# unprivileged user domains
attribute unpriv_userdomain;
-attribute untrusted_content_type;
-attribute untrusted_content_tmp_type;
+# unprivileged user domains
+attribute user_home_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
@@ -72,6 +81,7 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+typeattribute user_home_t user_home_type;
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
@@ -97,3 +107,41 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type audio_home_t;
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
+
+type home_cert_t;
+miscfiles_cert_type(home_cert_t)
+userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
+ term_use_console(userdomain)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(userhomereader)
+ fs_read_nfs_files(userhomereader)
+ fs_read_nfs_symlinks(userhomereader)
+ fs_read_nfs_named_sockets(userhomereader)
+ fs_read_nfs_named_pipes(userhomereader)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(userhomereader)
+ fs_read_cifs_files(userhomereader)
+ fs_read_cifs_symlinks(userhomereader)
+ fs_read_cifs_named_sockets(userhomereader)
+ fs_read_cifs_named_pipes(userhomereader)
+')
+
+allow userdomain userdomain:process signull;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.19/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-05-28 09:42:00.530610879 +0200
@@ -213,8 +213,9 @@
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
+ attribute xm_transition_domain;
')
-
+ typeattribute $1 xm_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-07-23 14:36:40.882388397 +0200
@@ -5,6 +5,7 @@
#
# Declarations
#
+attribute xm_transition_domain;
##
@@ -347,6 +348,7 @@
files_read_usr_files(xenstored_t)
+fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
storage_raw_read_fixed_disk(xenstored_t)
@@ -371,7 +373,7 @@
#
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-allow xm_t self:process { getsched signal };
+allow xm_t self:process { getcap getsched setcap signal };
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file rw_fifo_file_perms;
@@ -388,6 +390,7 @@
allow xm_t xen_image_t:blk_file read_blk_file_perms;
kernel_read_system_state(xm_t)
+kernel_read_network_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
kernel_read_sysctl(xm_t)
kernel_read_xen_state(xm_t)
@@ -412,6 +415,7 @@
fs_getattr_all_fs(xm_t)
fs_manage_xenfs_dirs(xm_t)
fs_manage_xenfs_files(xm_t)
+fs_search_auto_mountpoints(xm_t)
storage_raw_read_fixed_disk(xm_t)
@@ -438,10 +442,17 @@
')
optional_policy(`
+ vhostmd_rw_tmpfs_files(xm_t)
+ vhostmd_stream_connect(xm_t)
+ vhostmd_dontaudit_rw_stream_connect(xm_t)
+')
+
+optional_policy(`
virt_domtrans(xm_t)
virt_manage_images(xm_t)
virt_manage_config(xm_t)
virt_stream_connect(xm_t)
+ virt_dontaudit_read_lib_files(xm_t)
')
########################################
@@ -454,11 +465,14 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
+ dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
files_search_tmp(xm_ssh_t)
fs_manage_xenfs_dirs(xm_ssh_t)
fs_manage_xenfs_files(xm_ssh_t)
+ userdom_search_admin_dir(xm_ssh_t)
+
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.19/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/support/misc_patterns.spt 2010-05-28 09:42:00.532611375 +0200
@@ -15,7 +15,7 @@
domain_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
- allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
')
@@ -34,8 +34,12 @@
domain_auto_transition_pattern($1,$2,$3)
allow $3 $1:fd use;
- allow $3 $1:fifo_file rw_fifo_file_perms;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
allow $3 $1:process sigchld;
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $3 $1:socket_class_set { read write };
+ ')
')
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.19/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/support/obj_perm_sets.spt 2010-05-28 09:42:00.533610400 +0200
@@ -28,7 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
@@ -105,7 +105,7 @@
#
# Permissions for using sockets.
#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
#
# Permissions for creating and using sockets.
@@ -199,12 +199,14 @@
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
-define(`read_file_perms',`{ getattr open read lock ioctl }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
define(`append_file_perms',`{ getattr open append lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
@@ -225,7 +227,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
@@ -238,7 +240,8 @@
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_fifo_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
@@ -254,7 +257,8 @@
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
@@ -271,7 +275,8 @@
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
@@ -288,7 +293,8 @@
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
@@ -305,7 +311,8 @@
#
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write ioctl }')
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
#
# Sockets
@@ -317,3 +324,14 @@
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.19/policy/users
--- nsaserefpolicy/policy/users 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/users 2010-05-28 09:42:00.534610823 +0200
@@ -6,7 +6,7 @@
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
-# Note: Identities without a prefix will not be listed
+# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -38,8 +35,4 @@
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)