Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.3:Update
selinux-policy
selinux-policy-SUSE.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File selinux-policy-SUSE.patch of Package selinux-policy
Index: refpolicy/policy/modules/services/xserver.fc =================================================================== --- refpolicy.orig/policy/modules/services/xserver.fc 2012-05-10 16:22:52.000000000 +0200 +++ refpolicy/policy/modules/services/xserver.fc 2012-10-22 21:59:12.308452994 +0200 @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) # # /dev Index: refpolicy/policy/modules/suse/a2a.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a.fc 2012-10-22 21:59:12.308452994 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2a.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a.if 2012-10-22 21:59:12.308452994 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2a.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a.te 2012-10-22 21:59:12.308452994 +0200 @@ -0,0 +1,76 @@ + +module a2a 1.0; + +require { + type system_cronjob_t; + type loadkeys_t; + type hald_t; + type usr_t; + type crond_t; + type cronjob_t; + type user_dbusd_t; + type device_t; + type mount_t; + type debugfs_t; + type lib_t; + type kernel_t; + type setfiles_t; + type klogd_t; + type var_log_t; + type proc_t; + type audisp_t; + type klogd_t; + type user_dbusd_t; + type xauth_home_t; + type admin_home_t; + class chr_file open; + class process setsched; + class chr_file { read write open }; + class dir { getattr write add_name search }; + class system syslog_read; + class key create; + class lnk_file read; + class dbus send_msg; + class file { read write create getattr open ioctl append }; +} + +optional_policy(` + unconfined_dbus_chat(user_dbusd_t) +') + + +#============= hald_t ============== +allow hald_t system_cronjob_t:dbus send_msg; + +#============= loadkeys_t ============== +allow loadkeys_t usr_t:file { read getattr open ioctl }; +allow loadkeys_t usr_t:lnk_file read; + +#============= system_cronjob_t ============== +allow system_cronjob_t hald_t:dbus send_msg; + +allow crond_t cronjob_t:key create; + +#============= klogd_t ============== +allow klogd_t kernel_t:system syslog_read; +allow klogd_t var_log_t:dir { write add_name search }; +allow klogd_t var_log_t:file { write create open getattr }; + +#============= mount_t ============== +allow mount_t debugfs_t:dir getattr; +allow mount_t device_t:chr_file open; +allow mount_t kernel_t:process setsched; +allow mount_t lib_t:chr_file { read write open }; +allow mount_t device_t:chr_file { read write }; + +#============= setfiles_t ============== +allow setfiles_t device_t:chr_file { read write }; + +#============= audisp_t ============== +allow audisp_t proc_t:file read; + +#============= user_dbusd_t ============== +allow user_dbusd_t xauth_home_t:file { read append }; + +#============= crond_t ============== +allow crond_t admin_home_t:dir search; Index: refpolicy/policy/modules/suse/a2a2.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a2.fc 2012-10-22 21:59:12.308452994 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2a2.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a2.if 2012-10-22 21:59:12.308452994 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2a2.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a2.te 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,45 @@ + +module a2a2 1.0; + +require { + type lib_t; + type devicekit_power_t; + type avahi_t; + type hald_t; + type consolekit_t; + type rtkit_daemon_t; + type system_dbusd_t; + type NetworkManager_t; + type xdm_t; + class dbus send_msg; + class file execute_no_trans; +} + +#============= NetworkManager_t ============== +allow NetworkManager_t xdm_t:dbus send_msg; + +#============= avahi_t ============== +allow avahi_t xdm_t:dbus send_msg; + +#============= devicekit_power_t ============== +allow devicekit_power_t lib_t:file execute_no_trans; +allow devicekit_power_t xdm_t:dbus send_msg; + +#============= hald_t ============== +allow hald_t xdm_t:dbus send_msg; + +#============= rtkit_daemon_t ============== +allow rtkit_daemon_t xdm_t:dbus send_msg; + +#============= system_dbusd_t ============== +allow system_dbusd_t consolekit_t:dbus send_msg; +allow system_dbusd_t devicekit_power_t:dbus send_msg; +allow system_dbusd_t rtkit_daemon_t:dbus send_msg; +allow system_dbusd_t xdm_t:dbus send_msg; + +#============= xdm_t ============== +allow xdm_t NetworkManager_t:dbus send_msg; +allow xdm_t avahi_t:dbus send_msg; +allow xdm_t devicekit_power_t:dbus send_msg; +allow xdm_t hald_t:dbus send_msg; +allow xdm_t rtkit_daemon_t:dbus send_msg; Index: refpolicy/policy/modules/suse/a2a3.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a3.fc 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2a3.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a3.if 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2a3.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a3.te 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,43 @@ + +module a2a3 1.0; + +require { + type xserver_log_t; + type hplip_etc_t; + type syslogd_t; + type etc_t; + type xauth_home_t; + type pulseaudio_home_t; + type gpg_secret_t; + type device_t; + type devlog_t; + type user_t; + type gconf_home_t; + type gconf_etc_t; + class sock_file write; + class fifo_file setattr; + class unix_dgram_socket sendto; + class dir { write setattr }; + class file { write relabelfrom entrypoint read open }; +} + +#============= user_t ============== +allow user_t device_t:fifo_file setattr; +allow user_t devlog_t:sock_file write; +allow user_t etc_t:file entrypoint; +allow user_t gconf_etc_t:file { read open }; +#!!!! The source type 'user_t' can write to a 'dir' of the following types: +# tmpfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, bluetooth_helper_tmpfs_t, mozilla_home_t, tmp_t, screen_var_run_t, gpg_pinentry_tmp_t, user_fonts_t, user_tmpfs_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, user_home_dir_t, mplayer_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs + +allow user_t gconf_home_t:dir write; +#!!!! The source type 'user_t' can write to a 'file' of the following types: +# usbfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, xserver_tmpfs_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, anon_inodefs_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, security_t, mplayer_home_t, mail_spool_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs + +allow user_t gpg_secret_t:file { read write open }; +allow user_t hplip_etc_t:file { read open }; +allow user_t pulseaudio_home_t:dir setattr; +allow user_t syslogd_t:unix_dgram_socket sendto; +#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. + +allow user_t xauth_home_t:file relabelfrom; +allow user_t xserver_log_t:file { read open }; Index: refpolicy/policy/modules/suse/a2a4.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a4.fc 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2a4.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a4.if 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2a4.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a4.te 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,53 @@ + +module a2a4 1.0; + +require { + type mount_t; + type etc_t; + type device_t; + type cupsd_t; + type pulseaudio_home_t; + type cupsd_etc_t; + type tmp_t; + type avahi_t; + type user_t; + type proc_t; + type gconf_home_t; + type xdm_tmp_t; + type samba_etc_t; + class fifo_file write; + class netlink_kobject_uevent_socket { read bind create getattr setopt }; + class capability dac_override; + class file { write read lock create unlink open }; + class sock_file unlink; + class lnk_file read; + class dir { remove_name add_name setattr }; +} + +#============= avahi_t ============== +allow avahi_t device_t:fifo_file write; + +#============= cupsd_t ============== +allow cupsd_t cupsd_etc_t:file write; + +#============= mount_t ============== +allow mount_t device_t:fifo_file write; +allow mount_t etc_t:file { write unlink }; + +#============= user_t ============== +allow user_t gconf_home_t:dir { remove_name add_name }; +#!!!! The source type 'user_t' can write to a 'file' of the following types: +# uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, mplayer_home_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs + +allow user_t gconf_home_t:file { write create unlink open }; +allow user_t proc_t:file write; +#!!!! The source type 'user_t' can write to a 'file' of the following types: +# usbfs_t, uml_tmp_t, xdm_tmp_t, httpd_user_ra_content_t, httpd_user_rw_content_t, gpg_agent_tmp_t, user_fonts_cache_t, user_tmp_t, xserver_tmpfs_t, iceauth_home_t, xauth_home_t, ethereal_home_t, screen_home_t, user_home_t, nfsd_rw_t, session_dbusd_tmp_t, anon_inodefs_t, bluetooth_helper_tmpfs_t, mozilla_home_t, screen_var_run_t, user_fonts_t, user_tmpfs_t, httpd_user_htaccess_t, bluetooth_helper_tmp_t, uml_exec_t, user_fonts_config_t, ssh_home_t, httpd_user_script_exec_t, security_t, mplayer_home_t, mail_spool_t, tvtime_home_t, uml_ro_t, uml_rw_t, nfs_t, noxattrfs + +allow user_t pulseaudio_home_t:file { read write open lock }; +allow user_t pulseaudio_home_t:lnk_file read; +allow user_t samba_etc_t:file { read open }; +allow user_t self:capability dac_override; +allow user_t self:netlink_kobject_uevent_socket { read bind create getattr setopt }; +allow user_t tmp_t:dir setattr; +allow user_t xdm_tmp_t:sock_file unlink; Index: refpolicy/policy/modules/suse/a2a5.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a5.fc 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2a5.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a5.if 2012-10-22 21:59:12.309453025 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2a5.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2a5.te 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,21 @@ + +module a2a5 1.0; + +require { + type fsadm_t; + type tty_device_t; + type device_t; + type auditctl_t; + type hostname_t; + class fifo_file write; + class chr_file { read write }; +} + +#============= auditctl_t ============== +allow auditctl_t device_t:fifo_file write; + +#============= fsadm_t ============== +allow fsadm_t tty_device_t:chr_file { read write }; + +#============= hostname_t ============== +allow hostname_t tty_device_t:chr_file { read write }; Index: refpolicy/policy/modules/suse/a2aaudit.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit.fc 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2aaudit.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit.if 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary> Index: refpolicy/policy/modules/suse/a2aaudit.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit.te 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,16 @@ + +module a2aaudit 1.0; + +require { + type fsdaemon_t; + type crond_t; + type usr_t; + class capability audit_control; + class file { read getattr open }; +} + +#============= crond_t ============== +allow crond_t self:capability audit_control; + +#============= fsdaemon_t ============== +allow fsdaemon_t usr_t:file { read getattr open }; Index: refpolicy/policy/modules/suse/a2aaudit2.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit2.fc 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2aaudit2.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit2.if 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary> Index: refpolicy/policy/modules/suse/a2aaudit2.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit2.te 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,37 @@ + +module a2aaudit2 1.0; + +require { + type consolekit_var_run_t; + type udev_t; + type nscd_t; + type consolekit_t; + type lib_t; + type system_dbusd_var_run_t; + type cupsd_t; + class process { execstack execmem }; + class fifo_file write; + class dir { write search rmdir remove_name create add_name }; + class file { read create execute_no_trans write getattr unlink open }; +} + +#============= consolekit_t ============== +allow consolekit_t lib_t:file execute_no_trans; +#!!!! The source type 'consolekit_t' can write to a 'dir' of the following types: +# consolekit_var_run_t, user_fonts_cache_t + +allow consolekit_t system_dbusd_var_run_t:dir { write remove_name create add_name rmdir }; +#!!!! The source type 'consolekit_t' can write to a 'file' of the following types: +# pam_var_console_t, consolekit_var_run_t, user_fonts_cache_t, consolekit_log_t + +allow consolekit_t system_dbusd_var_run_t:file { write create unlink open }; + +#============= cupsd_t ============== +allow cupsd_t self:process { execstack execmem }; + +#============= nscd_t ============== +allow nscd_t self:fifo_file write; + +#============= udev_t ============== +allow udev_t consolekit_var_run_t:dir search; +allow udev_t consolekit_var_run_t:file { read getattr open }; Index: refpolicy/policy/modules/suse/a2aaudit3.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit3.fc 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2aaudit3.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit3.if 2012-10-22 21:59:12.310453056 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log audit audit.log</summary> Index: refpolicy/policy/modules/suse/a2aaudit3.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2aaudit3.te 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,43 @@ + +module a2aaudit3 1.0; + +require { + type tmp_t; + type user_t; + type gconf_home_t; + type pulseaudio_home_t; + type samba_etc_t; + type mail_spool_t; + type default_t; + type postfix_local_t; + type etc_t; + type chkpwd_t; + type bin_t; + type shell_exec_t; + type xsession_exec_t; + class lnk_file read; + class netlink_kobject_uevent_socket { bind create getattr setopt }; + class dir { remove_name add_name rmdir setattr search }; + class file { write entrypoint read lock create unlink open rmdir }; +} + +#============= user_t ============== +allow user_t gconf_home_t:dir { remove_name add_name }; +allow user_t gconf_home_t:file { write create unlink open }; +allow user_t pulseaudio_home_t:file { read write open lock }; +allow user_t pulseaudio_home_t:lnk_file read; +allow user_t pulseaudio_home_t:dir rmdir; +allow user_t samba_etc_t:file { read open }; +allow user_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow user_t tmp_t:dir setattr; +allow user_t pulseaudio_home_t:dir rmdir; + +#============= postfix_local_t ============== +allow postfix_local_t default_t:dir search; +allow postfix_local_t mail_spool_t:file write; + +#============= chkpwd_t ============== +allow chkpwd_t bin_t:file entrypoint; +allow chkpwd_t etc_t:file entrypoint; +allow chkpwd_t shell_exec_t:file entrypoint; +allow chkpwd_t xsession_exec_t:file entrypoint; Index: refpolicy/policy/modules/suse/a2adbusd.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd.fc 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2adbusd.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd.if 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's related to system_dbusd_t</summary> Index: refpolicy/policy/modules/suse/a2adbusd.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd.te 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,144 @@ + +module a2adbusd 1.0; + +require { + type user_t; + type var_log_t; + type setroubleshootd_exec_t; + type bin_t; + type setroubleshoot_var_lib_t; + type default_t; + type rpm_var_lib_t; + type setroubleshoot_var_log_t; + type system_dbusd_t; + type session_dbusd_tmp_t; + type system_dbusd_var_run_t; + type user_dbusd_t; + type syslogd_t; + type devicekit_power_t; + type avahi_t; + type user_t; + type consolekit_t; + type rtkit_daemon_t; + type fusefs_t; + type sysfs_t; + type gconf_home_t; + type xdm_var_run_t; + type etc_runtime_t; + type gconf_etc_t; + type debugfs_t; + type lib_t; + type fuse_device_t; + type xserver_t; + type etc_t; + type user_home_t; + type fixed_disk_device_t; + type mount_exec_t; + class fifo_file setattr; + class dbus send_msg; + class file { write entrypoint read open append }; + class sock_file write; + class unix_dgram_socket sendto; + class dir search; + + class process { execstack execmem }; + class lnk_file read; + class dir { write search getattr }; + class process getsched; + class unix_stream_socket connectto; + class netlink_kobject_uevent_socket { bind create setopt getattr }; + class chr_file { read write open }; + class capability { setuid dac_override }; + class file { rename execute setattr read lock create ioctl execute_no_trans write getattr link unlink open append }; + class filesystem mount; + class sock_file { write create unlink }; + class blk_file getattr; + class dir { search setattr read mounton write getattr remove_name open add_name }; + +} +optional_policy(` + unconfined_dbus_chat(user_t) +') + +#============= system_dbusd_t ============== +allow system_dbusd_t bin_t:file { read execute open getattr }; +allow system_dbusd_t bin_t:lnk_file read; +allow system_dbusd_t default_t:dir search; +#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types: +# tmp_t, system_dbusd_var_run_t, var_run_t, system_dbusd_tmp_t + +allow system_dbusd_t rpm_var_lib_t:dir { write getattr search }; +allow system_dbusd_t rpm_var_lib_t:file { read lock getattr open }; +allow system_dbusd_t self:process { execstack execmem }; +allow system_dbusd_t setroubleshoot_var_lib_t:dir search; +#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types: +# system_dbusd_var_run_t, system_dbusd_tmp_t + +allow system_dbusd_t setroubleshoot_var_lib_t:file { read write getattr open setattr }; +allow system_dbusd_t setroubleshoot_var_log_t:dir search; +#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types: +# system_dbusd_var_run_t, security_t, system_dbusd_tmp_t + +allow system_dbusd_t setroubleshoot_var_log_t:file { write getattr open }; +allow system_dbusd_t setroubleshootd_exec_t:file { ioctl execute read open getattr execute_no_trans }; +allow system_dbusd_t var_log_t:dir search; + +#============= avahi_t ============== +allow avahi_t user_t:dbus send_msg; + +#============= consolekit_t ============== +allow consolekit_t user_t:dbus send_msg; + +#============= devicekit_power_t ============== +allow devicekit_power_t user_t:dbus send_msg; + +#============= rtkit_daemon_t ============== +allow rtkit_daemon_t user_t:dbus send_msg; + +#============= system_dbusd_t ============== +allow system_dbusd_t user_dbusd_t:dbus send_msg; +allow system_dbusd_t user_t:dbus send_msg; + +#============= user_dbusd_t ============== +allow user_dbusd_t system_dbusd_t:dbus send_msg; +allow user_dbusd_t user_t:dbus send_msg; +allow user_dbusd_t debugfs_t:dir search; +allow user_dbusd_t default_t:dir { write search read open getattr mounton }; +allow user_dbusd_t default_t:file { read append }; +allow user_dbusd_t etc_runtime_t:file { read write getattr open append }; +allow user_dbusd_t etc_t:dir { write remove_name add_name }; +allow user_dbusd_t etc_t:file { write create unlink link }; +allow user_dbusd_t fixed_disk_device_t:blk_file getattr; +allow user_dbusd_t fuse_device_t:chr_file { read write open }; +allow user_dbusd_t fusefs_t:filesystem mount; +allow user_dbusd_t gconf_etc_t:dir { read search open getattr }; +allow user_dbusd_t gconf_etc_t:file { read getattr open }; +allow user_dbusd_t gconf_home_t:dir { write search read remove_name open getattr add_name }; +allow user_dbusd_t gconf_home_t:file { rename setattr read create write getattr unlink open append }; +allow user_dbusd_t lib_t:file execute_no_trans; +allow user_dbusd_t mount_exec_t:file { read execute open execute_no_trans }; +allow user_dbusd_t self:capability { setuid dac_override }; +allow user_dbusd_t self:netlink_kobject_uevent_socket { bind create setopt getattr }; +allow user_dbusd_t self:process getsched; +allow user_dbusd_t self:unix_stream_socket connectto; +allow user_dbusd_t session_dbusd_tmp_t:sock_file { write create }; +allow user_dbusd_t sysfs_t:dir { read search open getattr }; +allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto; +allow user_dbusd_t system_dbusd_var_run_t:dir search; +allow user_dbusd_t system_dbusd_var_run_t:sock_file write; +allow user_dbusd_t user_home_t:dir { read write add_name remove_name }; +allow user_dbusd_t user_home_t:file { write rename create unlink }; +allow user_dbusd_t user_t:unix_stream_socket connectto; +allow user_dbusd_t xdm_var_run_t:dir search; +allow user_dbusd_t xdm_var_run_t:file { read getattr open }; +allow user_dbusd_t xserver_t:unix_stream_socket connectto; + +#============= user_t ============== +allow user_t avahi_t:dbus send_msg; +allow user_t consolekit_t:dbus send_msg; +allow user_t devicekit_power_t:dbus send_msg; +allow user_t rtkit_daemon_t:dbus send_msg; +allow user_t session_dbusd_tmp_t:dir { write remove_name add_name setattr }; +allow user_t session_dbusd_tmp_t:file { read write create open lock }; +allow user_t session_dbusd_tmp_t:sock_file { write create unlink }; + Index: refpolicy/policy/modules/suse/a2adbusd2.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd2.fc 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2adbusd2.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd2.if 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2adbusd2.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adbusd2.te 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,31 @@ + +module a2adbusd2 1.0; + +require { + type user_t; + type fusefs_t; + type etc_t; + type user_dbusd_t; + type session_dbusd_tmp_t; + type etc_runtime_t; + type system_cronjob_t; + type system_dbusd_t; + class dbus send_msg; + class capability chown; + class sock_file unlink; + class file { rename unlink setattr }; + class filesystem unmount; +} + +#============= user_dbusd_t ============== +allow user_dbusd_t etc_runtime_t:file unlink; +allow user_dbusd_t etc_t:file { rename setattr }; +allow user_dbusd_t fusefs_t:filesystem unmount; +allow user_dbusd_t self:capability chown; +allow user_dbusd_t session_dbusd_tmp_t:sock_file unlink; + +#============= user_t ============== +allow user_t session_dbusd_tmp_t:file unlink; + +#============= system_dbusd_t ============== +allow system_dbusd_t system_cronjob_t:dbus send_msg; Index: refpolicy/policy/modules/suse/a2admesg.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2admesg.fc 2012-10-22 21:59:12.311453087 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2admesg.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2admesg.if 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's related to system_dbusd_t</summary> Index: refpolicy/policy/modules/suse/a2admesg.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2admesg.te 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,26 @@ + +module a2admesg 1.0; + +require { + type hwclock_t; + type mount_t; + type init_t; + type setfiles_t; + type klogd_t; + type tty_device_t; + class chr_file { read write }; + class fifo_file read; +} + +#============= hwclock_t ============== +allow hwclock_t init_t:fifo_file read; + +#============= klogd_t ============== +allow klogd_t init_t:fifo_file read; +allow klogd_t tty_device_t:chr_file { read write }; + +#============= mount_t ============== +allow mount_t init_t:fifo_file read; + +#============= setfiles_t ============== +allow setfiles_t init_t:fifo_file read; Index: refpolicy/policy/modules/suse/a2adolphin.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adolphin.fc 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2adolphin.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adolphin.if 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary> Index: refpolicy/policy/modules/suse/a2adolphin.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2adolphin.te 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,13 @@ + +module a2adolphin 1.0; + +require { + type httpd_user_content_t; + type exports_t; + type user_t; + class file { write read open }; +} + +#============= user_t ============== +allow user_t exports_t:file { read open }; +allow user_t httpd_user_content_t:file write; Index: refpolicy/policy/modules/suse/a2afirefox.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2afirefox.fc 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2afirefox.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2afirefox.if 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's from var log messages</summary> Index: refpolicy/policy/modules/suse/a2afirefox.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2afirefox.te 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,17 @@ + +module a2afirefox 1.0; + +require { + type tmp_t; + type mozilla_t; + type security_t; + type user_t; + class fifo_file read; + class dir read; + class filesystem getattr; +} + +#============= mozilla_t ============== +allow mozilla_t security_t:filesystem getattr; +allow mozilla_t tmp_t:dir read; +allow mozilla_t user_t:fifo_file read; Index: refpolicy/policy/modules/suse/a2amozilla.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2amozilla.fc 2012-10-22 21:59:12.312453118 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2amozilla.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2amozilla.if 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary> Index: refpolicy/policy/modules/suse/a2amozilla.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2amozilla.te 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,39 @@ + +module a2amozilla 1.0; + +require { + type lib_t; + type tmp_t; + type fs_t; + type user_t; + type user_dbusd_t; + type mozilla_t; + type session_dbusd_tmp_t; + type devpts_t; + type xauth_home_t; + class process ptrace; + class dir { rmdir setattr }; + class chr_file getattr; + class unix_stream_socket connectto; + class dbus { acquire_svc send_msg }; + class file { setattr read create execute_no_trans write relabelfrom getattr link unlink open entrypoint }; + class filesystem getattr; + class sock_file { write create }; + class dir { create rmdir search setattr write getattr remove_name add_name }; +} + +#============= mozilla_t ============== +allow mozilla_t fs_t:filesystem getattr; +allow mozilla_t lib_t:file execute_no_trans; +allow mozilla_t session_dbusd_tmp_t:dir { write getattr search setattr add_name }; +allow mozilla_t session_dbusd_tmp_t:sock_file { write create }; +allow mozilla_t tmp_t:dir { create rmdir write remove_name add_name }; +allow mozilla_t tmp_t:file { setattr read create write getattr link unlink open }; +allow mozilla_t user_dbusd_t:dbus acquire_svc; +allow mozilla_t self:process ptrace; +allow mozilla_t tmp_t:dir setattr; +allow mozilla_t xauth_home_t:file write; + +#============= user_dbusd_t ============== +allow user_dbusd_t mozilla_t:dbus send_msg; +allow user_dbusd_t mozilla_t:unix_stream_socket connectto; Index: refpolicy/policy/modules/suse/a2assh.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2assh.fc 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2assh.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2assh.if 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary> Index: refpolicy/policy/modules/suse/a2assh.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2assh.te 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,16 @@ + +module a2assh 1.0; + +require { + type admin_home_t; + type ssh_t; + type tty_device_t; + class chr_file { read write }; + class dir { search getattr }; + class file { read append open getattr }; +} + +#============= ssh_t ============== +allow ssh_t admin_home_t:dir { search getattr }; +allow ssh_t tty_device_t:chr_file { read write }; +allow ssh_t admin_home_t:file { read append open getattr }; Index: refpolicy/policy/modules/suse/a2asuse113.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2asuse113.fc 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2asuse113.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2asuse113.if 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary> Index: refpolicy/policy/modules/suse/a2asuse113.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2asuse113.te 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,89 @@ + +module a2asuse113 1.0; + +require { + type udev_t; + type init_t; + type hald_t; + type fsadm_t; + type hostname_t; + type system_dbusd_t; + type lib_t; + type tty_device_t; + type user_home_t; + type xauth_home_t; + type proc_kcore_t; + type wtmp_t; + type user_dbusd_t; + type tmp_t; + type xdm_var_run_t; + type user_t; + type root_t; + type ptmx_t; + type user_ssh_agent_t; + type lastlog_t; + type utempter_t; + type sysadm_t; + type pulseaudio_home_t; + class lnk_file { rename create unlink }; + class dir { write remove_name add_name mounton }; + class unix_stream_socket connectto; + class dbus send_msg; + class netlink_audit_socket { write nlmsg_relay create read }; + class capability { setuid sys_resource sys_ptrace audit_write }; + class sock_file write; + class chr_file { read ioctl open setattr }; + class dir mounton; + class file { relabelfrom execmod write read getattr unlink open append }; + class process getsched; + class fd use; + class fifo_file read; +} + +#============= fsadm_t ============== +allow fsadm_t init_t:fifo_file read; + +#============= hald_t ============== +allow hald_t self:process getsched; + +#============= hostname_t ============== +allow hostname_t init_t:fifo_file read; + +#============= udev_t ============== +allow udev_t init_t:fifo_file read; +allow udev_t system_dbusd_t:fd use; + +#============= user_dbusd_t ============== +allow user_dbusd_t root_t:dir mounton; +allow user_dbusd_t tmp_t:dir mounton; +allow user_dbusd_t user_home_t:dir mounton; +allow user_dbusd_t xauth_home_t:file write; + +#============= user_ssh_agent_t ============== +allow user_ssh_agent_t xauth_home_t:file write; + +#============= user_t ============== +allow user_t lastlog_t:file { read write open }; +allow user_t lib_t:file execmod; +allow user_t proc_kcore_t:file getattr; +allow user_t self:capability { setuid sys_resource sys_ptrace }; +allow user_t tmp_t:file { read write unlink open }; +allow user_t tty_device_t:chr_file { read open setattr }; +allow user_t wtmp_t:file append; +allow user_t xdm_var_run_t:sock_file write; +allow user_t pulseaudio_home_t:dir { write remove_name add_name }; +allow user_t pulseaudio_home_t:lnk_file { rename create unlink }; + +#============= utempter_t ============== +allow utempter_t ptmx_t:chr_file ioctl; +allow utempter_t user_home_t:file { write getattr }; +allow utempter_t xauth_home_t:file { write getattr }; + +#============= sysadm_t ============== +allow sysadm_t init_t:unix_stream_socket connectto; +allow sysadm_t self:capability audit_write; +allow sysadm_t self:netlink_audit_socket { write nlmsg_relay create read }; + +#============= system_dbusd_t ============== +allow system_dbusd_t hald_t:dbus send_msg; + Index: refpolicy/policy/modules/suse/a2ayast.fc =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2ayast.fc 2012-10-22 21:59:12.313453148 +0200 @@ -0,0 +1,2 @@ + +# currently has no file contexts Index: refpolicy/policy/modules/suse/a2ayast.if =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2ayast.if 2012-10-22 21:59:12.314453178 +0200 @@ -0,0 +1 @@ +## <summary>Policy generated by audit2allow for avc's under opensuse 11.3</summary> Index: refpolicy/policy/modules/suse/a2ayast.te =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/a2ayast.te 2012-10-22 21:59:12.314453178 +0200 @@ -0,0 +1,33 @@ + +module a2ayast 1.0; + +require { + type user_su_t; + type user_tmp_t; + type xauth_tmp_t; + type user_t; + type var_run_t; + type xauth_t; + type default_t; + type xauth_home_t; + class process sigkill; + class unix_stream_socket { read write }; + class lnk_file read; + class dir { write remove_name add_name }; + class file { write relabelfrom read create unlink open }; +} + +#============= user_t ============== +allow user_t default_t:lnk_file read; +allow user_t user_su_t:process sigkill; +allow user_t var_run_t:dir { write remove_name add_name }; +allow user_t var_run_t:file { write create unlink open }; +allow user_t xauth_tmp_t:file { read unlink open }; + +#============= xauth_t ============== +allow xauth_t user_t:unix_stream_socket { read write }; +allow xauth_t user_tmp_t:file { write unlink }; + +#============= user_su_t ============== +allow user_su_t default_t:dir remove_name; +allow user_su_t default_t:file unlink; Index: refpolicy/policy/modules/suse/metadata.xml =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ refpolicy/policy/modules/suse/metadata.xml 2012-10-22 21:59:12.314453178 +0200 @@ -0,0 +1,3 @@ +<summary> + Policy modules for suse +</summary> Index: refpolicy/policy/modules/system/fstools.fc =================================================================== --- refpolicy.orig/policy/modules/system/fstools.fc 2012-05-04 15:14:47.000000000 +0200 +++ refpolicy/policy/modules/system/fstools.fc 2012-10-22 21:59:12.314453178 +0200 @@ -45,3 +45,10 @@ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) + +ifdef(`distro_suse',` +/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +') + Index: refpolicy/policy/modules/system/getty.te =================================================================== --- refpolicy.orig/policy/modules/system/getty.te 2012-05-04 15:16:38.000000000 +0200 +++ refpolicy/policy/modules/system/getty.te 2012-10-22 21:59:12.314453178 +0200 @@ -107,6 +107,12 @@ ifdef(`distro_redhat',` allow getty_t self:capability sys_admin; ') +ifdef(`distro_suse',` + optional_policy(` + unconfined_domain(getty_t) + ') +') + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(getty_t) Index: refpolicy/policy/modules/system/logging.te =================================================================== --- refpolicy.orig/policy/modules/system/logging.te 2012-07-25 20:33:04.000000000 +0200 +++ refpolicy/policy/modules/system/logging.te 2012-10-22 21:59:12.314453178 +0200 @@ -476,6 +476,9 @@ ifdef(`distro_gentoo',` ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) + optional_policy(` + unconfined_domain(syslogd_t) + ') ') ifdef(`distro_ubuntu',` Index: refpolicy/policy/modules/system/mount.fc =================================================================== --- refpolicy.orig/policy/modules/system/mount.fc 2012-05-04 15:14:47.000000000 +0200 +++ refpolicy/policy/modules/system/mount.fc 2012-10-22 21:59:12.315453208 +0200 @@ -2,3 +2,9 @@ /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) + +ifdef(`distro_suse',` +/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +') + + Index: refpolicy/policy/modules/system/sysnetwork.fc =================================================================== --- refpolicy.orig/policy/modules/system/sysnetwork.fc 2012-05-04 15:14:47.000000000 +0200 +++ refpolicy/policy/modules/system/sysnetwork.fc 2012-10-22 21:59:12.315453208 +0200 @@ -72,3 +72,8 @@ ifdef(`distro_redhat',` ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +ifdef(`distro_suse',` +/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +') + Index: refpolicy/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy.orig/policy/modules/system/sysnetwork.te 2012-07-25 20:33:04.000000000 +0200 +++ refpolicy/policy/modules/system/sysnetwork.te 2012-10-22 21:59:12.315453208 +0200 @@ -153,6 +153,12 @@ ifdef(`distro_ubuntu',` ') ') +ifdef(`distro_suse',` + optional_policy(` + unconfined_domain(dhcpc_t) + ') +') + optional_policy(` consoletype_run(dhcpc_t, dhcpc_roles) ') @@ -315,6 +321,11 @@ ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(ifconfig_t) ') +') +ifdef(`distro_suse',` + optional_policy(` + unconfined_domain(ifconfig_t) + ') ') ifdef(`hide_broken_symptoms',` Index: refpolicy/policy/modules/system/userdomain.fc =================================================================== --- refpolicy.orig/policy/modules/system/userdomain.fc 2012-05-04 15:14:47.000000000 +0200 +++ refpolicy/policy/modules/system/userdomain.fc 2012-10-22 21:59:12.315453208 +0200 @@ -1,4 +1,4 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) Index: refpolicy/policy/modules/system/userdomain.if =================================================================== --- refpolicy.orig/policy/modules/system/userdomain.if 2012-05-10 15:25:34.000000000 +0200 +++ refpolicy/policy/modules/system/userdomain.if 2012-10-22 21:59:12.316453239 +0200 @@ -3296,3 +3296,198 @@ interface(`userdom_dbus_send_all_users', allow $1 userdomain:dbus send_msg; ') +######################################## +## <summary> +## dontaudit Search /root +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_dontaudit_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## <summary> +## dontaudit Search getatrr /root files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_dontaudit_getattr_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:file getattr; +') + +######################################## +## <summary> +## dontaudit list /root +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_dontaudit_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + dontaudit $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Allow domain to list /root +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_list_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir list_dir_perms; +') + +######################################## +## <summary> +## Allow Search /root +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_search_admin_dir',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Add attrinute admin domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_admin',` + gen_require(` + attribute admin_userdomain; + ') + + typeattribute $1 admin_userdomain; +') + +######################################## +## <summary> +## Read admin home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`userdom_read_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + read_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## <summary> +## Execute admin home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`userdom_exec_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + exec_files_pattern($1, admin_home_t, admin_home_t) +') + +######################################## +## <summary> +## Create objects in the /root directory +## with an automatic type transition to +## a specified private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private_type"> +## <summary> +## The type of the object to create. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## The class of the object to be created. +## </summary> +## </param> +# +interface(`userdom_admin_home_dir_filetrans',` + gen_require(` + type admin_home_t; + ') + + filetrans_pattern($1, admin_home_t, $2, $3) +') + +######################################## +## <summary> +## Append files inherited +## in the /root directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_inherit_append_admin_home_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:file { getattr append }; +') + Index: refpolicy/policy/modules/system/userdomain.te =================================================================== --- refpolicy.orig/policy/modules/system/userdomain.te 2012-07-25 20:33:04.000000000 +0200 +++ refpolicy/policy/modules/system/userdomain.te 2012-10-22 21:59:12.316453239 +0200 @@ -94,3 +94,10 @@ userdom_user_home_content(user_tmpfs_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + +# admin domain +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor