## The template for creating a unprivileged user roughly -@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -41668,7 +42194,7 @@ index 3c5dba7..1e5eb3b 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -41739,7 +42265,7 @@ index 3c5dba7..1e5eb3b 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -41750,7 +42276,7 @@ index 3c5dba7..1e5eb3b 100644 ') ') -@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -41761,7 +42287,7 @@ index 3c5dba7..1e5eb3b 100644 ') ############################## -@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -41769,25 +42295,24 @@ index 3c5dba7..1e5eb3b 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',` + # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability2 { block_suspend syslog }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; -@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',` - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - +- allow $1_t self:capability ~{ sys_module audit_control audit_write }; +- allow $1_t self:process { setexec setfscreate }; +- allow $1_t self:netlink_audit_socket nlmsg_readpriv; +- allow $1_t self:tun_socket create; +- # Set password information for other users. +- allow $1_t self:passwd { passwd chfn chsh }; +- # Skip authentication when pam_rootok is specified. +- allow $1_t self:passwd rootok; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; -+ + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -41795,7 +42320,7 @@ index 3c5dba7..1e5eb3b 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -41810,7 +42335,7 @@ index 3c5dba7..1e5eb3b 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -41853,7 +42378,7 @@ index 3c5dba7..1e5eb3b 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -41862,7 +42387,7 @@ index 3c5dba7..1e5eb3b 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -41881,7 +42406,7 @@ index 3c5dba7..1e5eb3b 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',` ##
++## Allow openshift to access nfs file systems without labels ++##
++##