File selinux-policy-SUSE.patch of Package selinux-policy
Index: refpolicy/policy/modules/services/xserver.fc
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.fc 2012-05-10 16:22:52.000000000 +0200
+++ refpolicy/policy/modules/services/xserver.fc 2012-10-22 21:59:12.308452994 +0200
@@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
# /dev
Index: refpolicy/policy/modules/suse/a2a.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a.fc 2012-10-22 21:59:12.308452994 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2a.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a.if 2012-10-22 21:59:12.308452994 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2a.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a.te 2012-10-22 21:59:12.308452994 +0200
@@ -0,0 +1,76 @@
+
+module a2a 1.0;
+
+require {
+ type system_cronjob_t;
+ type loadkeys_t;
+ type hald_t;
+ type usr_t;
+ type crond_t;
+ type cronjob_t;
+ type user_dbusd_t;
+ type device_t;
+ type mount_t;
+ type debugfs_t;
+ type lib_t;
+ type kernel_t;
+ type setfiles_t;
+ type klogd_t;
+ type var_log_t;
+ type proc_t;
+ type audisp_t;
+ type klogd_t;
+ type user_dbusd_t;
+ type xauth_home_t;
+ type admin_home_t;
+ class chr_file open;
+ class process setsched;
+ class chr_file { read write open };
+ class dir { getattr write add_name search };
+ class system syslog_read;
+ class key create;
+ class lnk_file read;
+ class dbus send_msg;
+ class file { read write create getattr open ioctl append };
+}
+
+optional_policy(`
+ unconfined_dbus_chat(user_dbusd_t)
+')
+
+
+#============= hald_t ==============
+allow hald_t system_cronjob_t:dbus send_msg;
+
+#============= loadkeys_t ==============
+allow loadkeys_t usr_t:file { read getattr open ioctl };
+allow loadkeys_t usr_t:lnk_file read;
+
+#============= system_cronjob_t ==============
+allow system_cronjob_t hald_t:dbus send_msg;
+
+allow crond_t cronjob_t:key create;
+
+#============= klogd_t ==============
+allow klogd_t kernel_t:system syslog_read;
+allow klogd_t var_log_t:dir { write add_name search };
+allow klogd_t var_log_t:file { write create open getattr };
+
+#============= mount_t ==============
+allow mount_t debugfs_t:dir getattr;
+allow mount_t device_t:chr_file open;
+allow mount_t kernel_t:process setsched;
+allow mount_t lib_t:chr_file { read write open };
+allow mount_t device_t:chr_file { read write };
+
+#============= setfiles_t ==============
+allow setfiles_t device_t:chr_file { read write };
+
+#============= audisp_t ==============
+allow audisp_t proc_t:file read;
+
+#============= user_dbusd_t ==============
+allow user_dbusd_t xauth_home_t:file { read append };
+
+#============= crond_t ==============
+allow crond_t admin_home_t:dir search;
Index: refpolicy/policy/modules/suse/a2a2.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a2.fc 2012-10-22 21:59:12.308452994 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2a2.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a2.if 2012-10-22 21:59:12.308452994 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2a2.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a2.te 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,45 @@
+
+module a2a2 1.0;
+
+require {
+ type lib_t;
+ type devicekit_power_t;
+ type avahi_t;
+ type hald_t;
+ type consolekit_t;
+ type rtkit_daemon_t;
+ type system_dbusd_t;
+ type NetworkManager_t;
+ type xdm_t;
+ class dbus send_msg;
+ class file execute_no_trans;
+}
+
+#============= NetworkManager_t ==============
+allow NetworkManager_t xdm_t:dbus send_msg;
+
+#============= avahi_t ==============
+allow avahi_t xdm_t:dbus send_msg;
+
+#============= devicekit_power_t ==============
+allow devicekit_power_t lib_t:file execute_no_trans;
+allow devicekit_power_t xdm_t:dbus send_msg;
+
+#============= hald_t ==============
+allow hald_t xdm_t:dbus send_msg;
+
+#============= rtkit_daemon_t ==============
+allow rtkit_daemon_t xdm_t:dbus send_msg;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t consolekit_t:dbus send_msg;
+allow system_dbusd_t devicekit_power_t:dbus send_msg;
+allow system_dbusd_t rtkit_daemon_t:dbus send_msg;
+allow system_dbusd_t xdm_t:dbus send_msg;
+
+#============= xdm_t ==============
+allow xdm_t NetworkManager_t:dbus send_msg;
+allow xdm_t avahi_t:dbus send_msg;
+allow xdm_t devicekit_power_t:dbus send_msg;
+allow xdm_t hald_t:dbus send_msg;
+allow xdm_t rtkit_daemon_t:dbus send_msg;
Index: refpolicy/policy/modules/suse/a2a3.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a3.fc 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2a3.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a3.if 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2a3.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a3.te 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,43 @@
+
+module a2a3 1.0;
+
+require {
+ type xserver_log_t;
+ type hplip_etc_t;
+ type syslogd_t;
+ type etc_t;
+ type xauth_home_t;
+ type pulseaudio_home_t;
+ type gpg_secret_t;
+ type device_t;
+ type devlog_t;
+ type user_t;
+ type gconf_home_t;
+ type gconf_etc_t;
+ class sock_file write;
+ class fifo_file setattr;
+ class unix_dgram_socket sendto;
+ class dir { write setattr };
+ class file { write relabelfrom entrypoint read open };
+}
+
+#============= user_t ==============
+allow user_t device_t:fifo_file setattr;
+allow user_t devlog_t:sock_file write;
+allow user_t etc_t:file entrypoint;
+allow user_t gconf_etc_t:file { read open };
+#!!!! The source type 'user_t' can write to a 'dir' of the following types:
+# tmpfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, bluetooth_helper_tmpfs_t, mozilla_home_t, tmp_t, screen_var_run_t, gpg_pinentry_tmp_t, user_fonts_t, user_tmpfs_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, user_home_dir_t, mplayer_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs
+
+allow user_t gconf_home_t:dir write;
+#!!!! The source type 'user_t' can write to a 'file' of the following types:
+# usbfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, xserver_tmpfs_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, anon_inodefs_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, security_t, mplayer_home_t, mail_spool_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs
+
+allow user_t gpg_secret_t:file { read write open };
+allow user_t hplip_etc_t:file { read open };
+allow user_t pulseaudio_home_t:dir setattr;
+allow user_t syslogd_t:unix_dgram_socket sendto;
+#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
+
+allow user_t xauth_home_t:file relabelfrom;
+allow user_t xserver_log_t:file { read open };
Index: refpolicy/policy/modules/suse/a2a4.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a4.fc 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2a4.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a4.if 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2a4.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a4.te 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,53 @@
+
+module a2a4 1.0;
+
+require {
+ type mount_t;
+ type etc_t;
+ type device_t;
+ type cupsd_t;
+ type pulseaudio_home_t;
+ type cupsd_etc_t;
+ type tmp_t;
+ type avahi_t;
+ type user_t;
+ type proc_t;
+ type gconf_home_t;
+ type xdm_tmp_t;
+ type samba_etc_t;
+ class fifo_file write;
+ class netlink_kobject_uevent_socket { read bind create getattr setopt };
+ class capability dac_override;
+ class file { write read lock create unlink open };
+ class sock_file unlink;
+ class lnk_file read;
+ class dir { remove_name add_name setattr };
+}
+
+#============= avahi_t ==============
+allow avahi_t device_t:fifo_file write;
+
+#============= cupsd_t ==============
+allow cupsd_t cupsd_etc_t:file write;
+
+#============= mount_t ==============
+allow mount_t device_t:fifo_file write;
+allow mount_t etc_t:file { write unlink };
+
+#============= user_t ==============
+allow user_t gconf_home_t:dir { remove_name add_name };
+#!!!! The source type 'user_t' can write to a 'file' of the following types:
+# uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, mplayer_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs
+
+allow user_t gconf_home_t:file { write create unlink open };
+allow user_t proc_t:file write;
+#!!!! The source type 'user_t' can write to a 'file' of the following types:
+# usbfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, xserver_tmpfs_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, anon_inodefs_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, security_t, mplayer_home_t, mail_spool_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs
+
+allow user_t pulseaudio_home_t:file { read write open lock };
+allow user_t pulseaudio_home_t:lnk_file read;
+allow user_t samba_etc_t:file { read open };
+allow user_t self:capability dac_override;
+allow user_t self:netlink_kobject_uevent_socket { read bind create getattr setopt };
+allow user_t tmp_t:dir setattr;
+allow user_t xdm_tmp_t:sock_file unlink;
Index: refpolicy/policy/modules/suse/a2a5.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a5.fc 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2a5.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a5.if 2012-10-22 21:59:12.309453025 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2a5.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2a5.te 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,21 @@
+
+module a2a5 1.0;
+
+require {
+ type fsadm_t;
+ type tty_device_t;
+ type device_t;
+ type auditctl_t;
+ type hostname_t;
+ class fifo_file write;
+ class chr_file { read write };
+}
+
+#============= auditctl_t ==============
+allow auditctl_t device_t:fifo_file write;
+
+#============= fsadm_t ==============
+allow fsadm_t tty_device_t:chr_file { read write };
+
+#============= hostname_t ==============
+allow hostname_t tty_device_t:chr_file { read write };
Index: refpolicy/policy/modules/suse/a2aaudit.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit.fc 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2aaudit.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit.if 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary>
Index: refpolicy/policy/modules/suse/a2aaudit.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit.te 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,16 @@
+
+module a2aaudit 1.0;
+
+require {
+ type fsdaemon_t;
+ type crond_t;
+ type usr_t;
+ class capability audit_control;
+ class file { read getattr open };
+}
+
+#============= crond_t ==============
+allow crond_t self:capability audit_control;
+
+#============= fsdaemon_t ==============
+allow fsdaemon_t usr_t:file { read getattr open };
Index: refpolicy/policy/modules/suse/a2aaudit2.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit2.fc 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2aaudit2.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit2.if 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary>
Index: refpolicy/policy/modules/suse/a2aaudit2.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit2.te 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,37 @@
+
+module a2aaudit2 1.0;
+
+require {
+ type consolekit_var_run_t;
+ type udev_t;
+ type nscd_t;
+ type consolekit_t;
+ type lib_t;
+ type system_dbusd_var_run_t;
+ type cupsd_t;
+ class process { execstack execmem };
+ class fifo_file write;
+ class dir { write search rmdir remove_name create add_name };
+ class file { read create execute_no_trans write getattr unlink open };
+}
+
+#============= consolekit_t ==============
+allow consolekit_t lib_t:file execute_no_trans;
+#!!!! The source type 'consolekit_t' can write to a 'dir' of the following types:
+# consolekit_var_run_t, user_fonts_cache_t
+
+allow consolekit_t system_dbusd_var_run_t:dir { write remove_name create add_name rmdir };
+#!!!! The source type 'consolekit_t' can write to a 'file' of the following types:
+# pam_var_console_t, consolekit_var_run_t, user_fonts_cache_t, consolekit_log_t
+
+allow consolekit_t system_dbusd_var_run_t:file { write create unlink open };
+
+#============= cupsd_t ==============
+allow cupsd_t self:process { execstack execmem };
+
+#============= nscd_t ==============
+allow nscd_t self:fifo_file write;
+
+#============= udev_t ==============
+allow udev_t consolekit_var_run_t:dir search;
+allow udev_t consolekit_var_run_t:file { read getattr open };
Index: refpolicy/policy/modules/suse/a2aaudit3.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit3.fc 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2aaudit3.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit3.if 2012-10-22 21:59:12.310453056 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary>
Index: refpolicy/policy/modules/suse/a2aaudit3.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2aaudit3.te 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,43 @@
+
+module a2aaudit3 1.0;
+
+require {
+ type tmp_t;
+ type user_t;
+ type gconf_home_t;
+ type pulseaudio_home_t;
+ type samba_etc_t;
+ type mail_spool_t;
+ type default_t;
+ type postfix_local_t;
+ type etc_t;
+ type chkpwd_t;
+ type bin_t;
+ type shell_exec_t;
+ type xsession_exec_t;
+ class lnk_file read;
+ class netlink_kobject_uevent_socket { bind create getattr setopt };
+ class dir { remove_name add_name rmdir setattr search };
+ class file { write entrypoint read lock create unlink open rmdir };
+}
+
+#============= user_t ==============
+allow user_t gconf_home_t:dir { remove_name add_name };
+allow user_t gconf_home_t:file { write create unlink open };
+allow user_t pulseaudio_home_t:file { read write open lock };
+allow user_t pulseaudio_home_t:lnk_file read;
+allow user_t pulseaudio_home_t:dir rmdir;
+allow user_t samba_etc_t:file { read open };
+allow user_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
+allow user_t tmp_t:dir setattr;
+allow user_t pulseaudio_home_t:dir rmdir;
+
+#============= postfix_local_t ==============
+allow postfix_local_t default_t:dir search;
+allow postfix_local_t mail_spool_t:file write;
+
+#============= chkpwd_t ==============
+allow chkpwd_t bin_t:file entrypoint;
+allow chkpwd_t etc_t:file entrypoint;
+allow chkpwd_t shell_exec_t:file entrypoint;
+allow chkpwd_t xsession_exec_t:file entrypoint;
Index: refpolicy/policy/modules/suse/a2adbusd.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd.fc 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2adbusd.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd.if 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's related to system_dbusd_t</summary>
Index: refpolicy/policy/modules/suse/a2adbusd.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd.te 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,144 @@
+
+module a2adbusd 1.0;
+
+require {
+ type user_t;
+ type var_log_t;
+ type setroubleshootd_exec_t;
+ type bin_t;
+ type setroubleshoot_var_lib_t;
+ type default_t;
+ type rpm_var_lib_t;
+ type setroubleshoot_var_log_t;
+ type system_dbusd_t;
+ type session_dbusd_tmp_t;
+ type system_dbusd_var_run_t;
+ type user_dbusd_t;
+ type syslogd_t;
+ type devicekit_power_t;
+ type avahi_t;
+ type user_t;
+ type consolekit_t;
+ type rtkit_daemon_t;
+ type fusefs_t;
+ type sysfs_t;
+ type gconf_home_t;
+ type xdm_var_run_t;
+ type etc_runtime_t;
+ type gconf_etc_t;
+ type debugfs_t;
+ type lib_t;
+ type fuse_device_t;
+ type xserver_t;
+ type etc_t;
+ type user_home_t;
+ type fixed_disk_device_t;
+ type mount_exec_t;
+ class fifo_file setattr;
+ class dbus send_msg;
+ class file { write entrypoint read open append };
+ class sock_file write;
+ class unix_dgram_socket sendto;
+ class dir search;
+
+ class process { execstack execmem };
+ class lnk_file read;
+ class dir { write search getattr };
+ class process getsched;
+ class unix_stream_socket connectto;
+ class netlink_kobject_uevent_socket { bind create setopt getattr };
+ class chr_file { read write open };
+ class capability { setuid dac_override };
+ class file { rename execute setattr read lock create ioctl execute_no_trans write getattr link unlink open append };
+ class filesystem mount;
+ class sock_file { write create unlink };
+ class blk_file getattr;
+ class dir { search setattr read mounton write getattr remove_name open add_name };
+
+}
+optional_policy(`
+ unconfined_dbus_chat(user_t)
+')
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t bin_t:file { read execute open getattr };
+allow system_dbusd_t bin_t:lnk_file read;
+allow system_dbusd_t default_t:dir search;
+#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
+# tmp_t, system_dbusd_var_run_t, var_run_t, system_dbusd_tmp_t
+
+allow system_dbusd_t rpm_var_lib_t:dir { write getattr search };
+allow system_dbusd_t rpm_var_lib_t:file { read lock getattr open };
+allow system_dbusd_t self:process { execstack execmem };
+allow system_dbusd_t setroubleshoot_var_lib_t:dir search;
+#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
+# system_dbusd_var_run_t, system_dbusd_tmp_t
+
+allow system_dbusd_t setroubleshoot_var_lib_t:file { read write getattr open setattr };
+allow system_dbusd_t setroubleshoot_var_log_t:dir search;
+#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
+# system_dbusd_var_run_t, security_t, system_dbusd_tmp_t
+
+allow system_dbusd_t setroubleshoot_var_log_t:file { write getattr open };
+allow system_dbusd_t setroubleshootd_exec_t:file { ioctl execute read open getattr execute_no_trans };
+allow system_dbusd_t var_log_t:dir search;
+
+#============= avahi_t ==============
+allow avahi_t user_t:dbus send_msg;
+
+#============= consolekit_t ==============
+allow consolekit_t user_t:dbus send_msg;
+
+#============= devicekit_power_t ==============
+allow devicekit_power_t user_t:dbus send_msg;
+
+#============= rtkit_daemon_t ==============
+allow rtkit_daemon_t user_t:dbus send_msg;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t user_dbusd_t:dbus send_msg;
+allow system_dbusd_t user_t:dbus send_msg;
+
+#============= user_dbusd_t ==============
+allow user_dbusd_t system_dbusd_t:dbus send_msg;
+allow user_dbusd_t user_t:dbus send_msg;
+allow user_dbusd_t debugfs_t:dir search;
+allow user_dbusd_t default_t:dir { write search read open getattr mounton };
+allow user_dbusd_t default_t:file { read append };
+allow user_dbusd_t etc_runtime_t:file { read write getattr open append };
+allow user_dbusd_t etc_t:dir { write remove_name add_name };
+allow user_dbusd_t etc_t:file { write create unlink link };
+allow user_dbusd_t fixed_disk_device_t:blk_file getattr;
+allow user_dbusd_t fuse_device_t:chr_file { read write open };
+allow user_dbusd_t fusefs_t:filesystem mount;
+allow user_dbusd_t gconf_etc_t:dir { read search open getattr };
+allow user_dbusd_t gconf_etc_t:file { read getattr open };
+allow user_dbusd_t gconf_home_t:dir { write search read remove_name open getattr add_name };
+allow user_dbusd_t gconf_home_t:file { rename setattr read create write getattr unlink open append };
+allow user_dbusd_t lib_t:file execute_no_trans;
+allow user_dbusd_t mount_exec_t:file { read execute open execute_no_trans };
+allow user_dbusd_t self:capability { setuid dac_override };
+allow user_dbusd_t self:netlink_kobject_uevent_socket { bind create setopt getattr };
+allow user_dbusd_t self:process getsched;
+allow user_dbusd_t self:unix_stream_socket connectto;
+allow user_dbusd_t session_dbusd_tmp_t:sock_file { write create };
+allow user_dbusd_t sysfs_t:dir { read search open getattr };
+allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto;
+allow user_dbusd_t system_dbusd_var_run_t:dir search;
+allow user_dbusd_t system_dbusd_var_run_t:sock_file write;
+allow user_dbusd_t user_home_t:dir { read write add_name remove_name };
+allow user_dbusd_t user_home_t:file { write rename create unlink };
+allow user_dbusd_t user_t:unix_stream_socket connectto;
+allow user_dbusd_t xdm_var_run_t:dir search;
+allow user_dbusd_t xdm_var_run_t:file { read getattr open };
+allow user_dbusd_t xserver_t:unix_stream_socket connectto;
+
+#============= user_t ==============
+allow user_t avahi_t:dbus send_msg;
+allow user_t consolekit_t:dbus send_msg;
+allow user_t devicekit_power_t:dbus send_msg;
+allow user_t rtkit_daemon_t:dbus send_msg;
+allow user_t session_dbusd_tmp_t:dir { write remove_name add_name setattr };
+allow user_t session_dbusd_tmp_t:file { read write create open lock };
+allow user_t session_dbusd_tmp_t:sock_file { write create unlink };
+
Index: refpolicy/policy/modules/suse/a2adbusd2.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd2.fc 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2adbusd2.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd2.if 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2adbusd2.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adbusd2.te 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,31 @@
+
+module a2adbusd2 1.0;
+
+require {
+ type user_t;
+ type fusefs_t;
+ type etc_t;
+ type user_dbusd_t;
+ type session_dbusd_tmp_t;
+ type etc_runtime_t;
+ type system_cronjob_t;
+ type system_dbusd_t;
+ class dbus send_msg;
+ class capability chown;
+ class sock_file unlink;
+ class file { rename unlink setattr };
+ class filesystem unmount;
+}
+
+#============= user_dbusd_t ==============
+allow user_dbusd_t etc_runtime_t:file unlink;
+allow user_dbusd_t etc_t:file { rename setattr };
+allow user_dbusd_t fusefs_t:filesystem unmount;
+allow user_dbusd_t self:capability chown;
+allow user_dbusd_t session_dbusd_tmp_t:sock_file unlink;
+
+#============= user_t ==============
+allow user_t session_dbusd_tmp_t:file unlink;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t system_cronjob_t:dbus send_msg;
Index: refpolicy/policy/modules/suse/a2admesg.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2admesg.fc 2012-10-22 21:59:12.311453087 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2admesg.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2admesg.if 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's related to system_dbusd_t</summary>
Index: refpolicy/policy/modules/suse/a2admesg.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2admesg.te 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,26 @@
+
+module a2admesg 1.0;
+
+require {
+ type hwclock_t;
+ type mount_t;
+ type init_t;
+ type setfiles_t;
+ type klogd_t;
+ type tty_device_t;
+ class chr_file { read write };
+ class fifo_file read;
+}
+
+#============= hwclock_t ==============
+allow hwclock_t init_t:fifo_file read;
+
+#============= klogd_t ==============
+allow klogd_t init_t:fifo_file read;
+allow klogd_t tty_device_t:chr_file { read write };
+
+#============= mount_t ==============
+allow mount_t init_t:fifo_file read;
+
+#============= setfiles_t ==============
+allow setfiles_t init_t:fifo_file read;
Index: refpolicy/policy/modules/suse/a2adolphin.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adolphin.fc 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2adolphin.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adolphin.if 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary>
Index: refpolicy/policy/modules/suse/a2adolphin.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2adolphin.te 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,13 @@
+
+module a2adolphin 1.0;
+
+require {
+ type httpd_user_content_t;
+ type exports_t;
+ type user_t;
+ class file { write read open };
+}
+
+#============= user_t ==============
+allow user_t exports_t:file { read open };
+allow user_t httpd_user_content_t:file write;
Index: refpolicy/policy/modules/suse/a2afirefox.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2afirefox.fc 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2afirefox.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2afirefox.if 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's from var log messages</summary>
Index: refpolicy/policy/modules/suse/a2afirefox.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2afirefox.te 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,17 @@
+
+module a2afirefox 1.0;
+
+require {
+ type tmp_t;
+ type mozilla_t;
+ type security_t;
+ type user_t;
+ class fifo_file read;
+ class dir read;
+ class filesystem getattr;
+}
+
+#============= mozilla_t ==============
+allow mozilla_t security_t:filesystem getattr;
+allow mozilla_t tmp_t:dir read;
+allow mozilla_t user_t:fifo_file read;
Index: refpolicy/policy/modules/suse/a2amozilla.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2amozilla.fc 2012-10-22 21:59:12.312453118 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2amozilla.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2amozilla.if 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary>
Index: refpolicy/policy/modules/suse/a2amozilla.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2amozilla.te 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,39 @@
+
+module a2amozilla 1.0;
+
+require {
+ type lib_t;
+ type tmp_t;
+ type fs_t;
+ type user_t;
+ type user_dbusd_t;
+ type mozilla_t;
+ type session_dbusd_tmp_t;
+ type devpts_t;
+ type xauth_home_t;
+ class process ptrace;
+ class dir { rmdir setattr };
+ class chr_file getattr;
+ class unix_stream_socket connectto;
+ class dbus { acquire_svc send_msg };
+ class file { setattr read create execute_no_trans write relabelfrom getattr link unlink open entrypoint };
+ class filesystem getattr;
+ class sock_file { write create };
+ class dir { create rmdir search setattr write getattr remove_name add_name };
+}
+
+#============= mozilla_t ==============
+allow mozilla_t fs_t:filesystem getattr;
+allow mozilla_t lib_t:file execute_no_trans;
+allow mozilla_t session_dbusd_tmp_t:dir { write getattr search setattr add_name };
+allow mozilla_t session_dbusd_tmp_t:sock_file { write create };
+allow mozilla_t tmp_t:dir { create rmdir write remove_name add_name };
+allow mozilla_t tmp_t:file { setattr read create write getattr link unlink open };
+allow mozilla_t user_dbusd_t:dbus acquire_svc;
+allow mozilla_t self:process ptrace;
+allow mozilla_t tmp_t:dir setattr;
+allow mozilla_t xauth_home_t:file write;
+
+#============= user_dbusd_t ==============
+allow user_dbusd_t mozilla_t:dbus send_msg;
+allow user_dbusd_t mozilla_t:unix_stream_socket connectto;
Index: refpolicy/policy/modules/suse/a2assh.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2assh.fc 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2assh.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2assh.if 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary>
Index: refpolicy/policy/modules/suse/a2assh.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2assh.te 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,16 @@
+
+module a2assh 1.0;
+
+require {
+ type admin_home_t;
+ type ssh_t;
+ type tty_device_t;
+ class chr_file { read write };
+ class dir { search getattr };
+ class file { read append open getattr };
+}
+
+#============= ssh_t ==============
+allow ssh_t admin_home_t:dir { search getattr };
+allow ssh_t tty_device_t:chr_file { read write };
+allow ssh_t admin_home_t:file { read append open getattr };
Index: refpolicy/policy/modules/suse/a2asuse113.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2asuse113.fc 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2asuse113.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2asuse113.if 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary>
Index: refpolicy/policy/modules/suse/a2asuse113.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2asuse113.te 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,89 @@
+
+module a2asuse113 1.0;
+
+require {
+ type udev_t;
+ type init_t;
+ type hald_t;
+ type fsadm_t;
+ type hostname_t;
+ type system_dbusd_t;
+ type lib_t;
+ type tty_device_t;
+ type user_home_t;
+ type xauth_home_t;
+ type proc_kcore_t;
+ type wtmp_t;
+ type user_dbusd_t;
+ type tmp_t;
+ type xdm_var_run_t;
+ type user_t;
+ type root_t;
+ type ptmx_t;
+ type user_ssh_agent_t;
+ type lastlog_t;
+ type utempter_t;
+ type sysadm_t;
+ type pulseaudio_home_t;
+ class lnk_file { rename create unlink };
+ class dir { write remove_name add_name mounton };
+ class unix_stream_socket connectto;
+ class dbus send_msg;
+ class netlink_audit_socket { write nlmsg_relay create read };
+ class capability { setuid sys_resource sys_ptrace audit_write };
+ class sock_file write;
+ class chr_file { read ioctl open setattr };
+ class dir mounton;
+ class file { relabelfrom execmod write read getattr unlink open append };
+ class process getsched;
+ class fd use;
+ class fifo_file read;
+}
+
+#============= fsadm_t ==============
+allow fsadm_t init_t:fifo_file read;
+
+#============= hald_t ==============
+allow hald_t self:process getsched;
+
+#============= hostname_t ==============
+allow hostname_t init_t:fifo_file read;
+
+#============= udev_t ==============
+allow udev_t init_t:fifo_file read;
+allow udev_t system_dbusd_t:fd use;
+
+#============= user_dbusd_t ==============
+allow user_dbusd_t root_t:dir mounton;
+allow user_dbusd_t tmp_t:dir mounton;
+allow user_dbusd_t user_home_t:dir mounton;
+allow user_dbusd_t xauth_home_t:file write;
+
+#============= user_ssh_agent_t ==============
+allow user_ssh_agent_t xauth_home_t:file write;
+
+#============= user_t ==============
+allow user_t lastlog_t:file { read write open };
+allow user_t lib_t:file execmod;
+allow user_t proc_kcore_t:file getattr;
+allow user_t self:capability { setuid sys_resource sys_ptrace };
+allow user_t tmp_t:file { read write unlink open };
+allow user_t tty_device_t:chr_file { read open setattr };
+allow user_t wtmp_t:file append;
+allow user_t xdm_var_run_t:sock_file write;
+allow user_t pulseaudio_home_t:dir { write remove_name add_name };
+allow user_t pulseaudio_home_t:lnk_file { rename create unlink };
+
+#============= utempter_t ==============
+allow utempter_t ptmx_t:chr_file ioctl;
+allow utempter_t user_home_t:file { write getattr };
+allow utempter_t xauth_home_t:file { write getattr };
+
+#============= sysadm_t ==============
+allow sysadm_t init_t:unix_stream_socket connectto;
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:netlink_audit_socket { write nlmsg_relay create read };
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t hald_t:dbus send_msg;
+
Index: refpolicy/policy/modules/suse/a2ayast.fc
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2ayast.fc 2012-10-22 21:59:12.313453148 +0200
@@ -0,0 +1,2 @@
+
+# currently has no file contexts
Index: refpolicy/policy/modules/suse/a2ayast.if
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2ayast.if 2012-10-22 21:59:12.314453178 +0200
@@ -0,0 +1 @@
+## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary>
Index: refpolicy/policy/modules/suse/a2ayast.te
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/a2ayast.te 2012-10-22 21:59:12.314453178 +0200
@@ -0,0 +1,33 @@
+
+module a2ayast 1.0;
+
+require {
+ type user_su_t;
+ type user_tmp_t;
+ type xauth_tmp_t;
+ type user_t;
+ type var_run_t;
+ type xauth_t;
+ type default_t;
+ type xauth_home_t;
+ class process sigkill;
+ class unix_stream_socket { read write };
+ class lnk_file read;
+ class dir { write remove_name add_name };
+ class file { write relabelfrom read create unlink open };
+}
+
+#============= user_t ==============
+allow user_t default_t:lnk_file read;
+allow user_t user_su_t:process sigkill;
+allow user_t var_run_t:dir { write remove_name add_name };
+allow user_t var_run_t:file { write create unlink open };
+allow user_t xauth_tmp_t:file { read unlink open };
+
+#============= xauth_t ==============
+allow xauth_t user_t:unix_stream_socket { read write };
+allow xauth_t user_tmp_t:file { write unlink };
+
+#============= user_su_t ==============
+allow user_su_t default_t:dir remove_name;
+allow user_su_t default_t:file unlink;
Index: refpolicy/policy/modules/suse/metadata.xml
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ refpolicy/policy/modules/suse/metadata.xml 2012-10-22 21:59:12.314453178 +0200
@@ -0,0 +1,3 @@
+<summary>
+ Policy modules for suse
+</summary>
Index: refpolicy/policy/modules/system/fstools.fc
===================================================================
--- refpolicy.orig/policy/modules/system/fstools.fc 2012-05-04 15:14:47.000000000 +0200
+++ refpolicy/policy/modules/system/fstools.fc 2012-10-22 21:59:12.314453178 +0200
@@ -45,3 +45,10 @@
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+
+ifdef(`distro_suse',`
+/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+')
+
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- refpolicy.orig/policy/modules/system/getty.te 2012-05-04 15:16:38.000000000 +0200
+++ refpolicy/policy/modules/system/getty.te 2012-10-22 21:59:12.314453178 +0200
@@ -107,6 +107,12 @@ ifdef(`distro_redhat',`
allow getty_t self:capability sys_admin;
')
+ifdef(`distro_suse',`
+ optional_policy(`
+ unconfined_domain(getty_t)
+ ')
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(getty_t)
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te 2012-07-25 20:33:04.000000000 +0200
+++ refpolicy/policy/modules/system/logging.te 2012-10-22 21:59:12.314453178 +0200
@@ -476,6 +476,9 @@ ifdef(`distro_gentoo',`
ifdef(`distro_suse',`
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
+ optional_policy(`
+ unconfined_domain(syslogd_t)
+ ')
')
ifdef(`distro_ubuntu',`
Index: refpolicy/policy/modules/system/mount.fc
===================================================================
--- refpolicy.orig/policy/modules/system/mount.fc 2012-05-04 15:14:47.000000000 +0200
+++ refpolicy/policy/modules/system/mount.fc 2012-10-22 21:59:12.315453208 +0200
@@ -2,3 +2,9 @@
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+ifdef(`distro_suse',`
+/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+')
+
+
Index: refpolicy/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2012-05-04 15:14:47.000000000 +0200
+++ refpolicy/policy/modules/system/sysnetwork.fc 2012-10-22 21:59:12.315453208 +0200
@@ -72,3 +72,8 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
+
+ifdef(`distro_suse',`
+/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+')
+
Index: refpolicy/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.te 2012-07-25 20:33:04.000000000 +0200
+++ refpolicy/policy/modules/system/sysnetwork.te 2012-10-22 21:59:12.315453208 +0200
@@ -153,6 +153,12 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`distro_suse',`
+ optional_policy(`
+ unconfined_domain(dhcpc_t)
+ ')
+')
+
optional_policy(`
consoletype_run(dhcpc_t, dhcpc_roles)
')
@@ -315,6 +321,11 @@ ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
')
+')
+ifdef(`distro_suse',`
+ optional_policy(`
+ unconfined_domain(ifconfig_t)
+ ')
')
ifdef(`hide_broken_symptoms',`
Index: refpolicy/policy/modules/system/userdomain.fc
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.fc 2012-05-04 15:14:47.000000000 +0200
+++ refpolicy/policy/modules/system/userdomain.fc 2012-10-22 21:59:12.315453208 +0200
@@ -1,4 +1,4 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
-
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if 2012-05-10 15:25:34.000000000 +0200
+++ refpolicy/policy/modules/system/userdomain.if 2012-10-22 21:59:12.316453239 +0200
@@ -3296,3 +3296,198 @@ interface(`userdom_dbus_send_all_users',
allow $1 userdomain:dbus send_msg;
')
+########################################
+## <summary>
+## dontaudit Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file getattr;
+')
+
+########################################
+## <summary>
+## dontaudit list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Add attrinute admin domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_admin',`
+ gen_require(`
+ attribute admin_userdomain;
+ ')
+
+ typeattribute $1 admin_userdomain;
+')
+
+########################################
+## <summary>
+## Read admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Execute admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /root directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ filetrans_pattern($1, admin_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in the /root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file { getattr append };
+')
+
Index: refpolicy/policy/modules/system/userdomain.te
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.te 2012-07-25 20:33:04.000000000 +0200
+++ refpolicy/policy/modules/system/userdomain.te 2012-10-22 21:59:12.316453239 +0200
@@ -94,3 +94,10 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+# admin domain
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
