[selinux-policy: 2881/3172] Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t cleanup of nsplugin
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:16:33 UTC 2010
commit dfe675b8f7b26efcd882e7af121ef3036524c266
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 8 12:06:20 2010 -0400
Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition
Latest pm-utils is causing lots of domains to see a leaked lock file
I want mplayer to run as unconfined_execmem_t
mountpoint is causing dbus and init apps to getattr on all filesystems directories
Miroslav update dkim-milter
NetworkManager dbus chats with init
Allow apps that can read user_fonts_t to read the symbolic link
udev needs to manage etc_t
policy/modules/apps/execmem.fc | 1 -
policy/modules/apps/mozilla.te | 4 +---
policy/modules/apps/nsplugin.if | 13 +------------
policy/modules/kernel/domain.te | 4 ++++
policy/modules/roles/unconfineduser.te | 13 +++++++++++++
policy/modules/services/dbus.if | 2 +-
policy/modules/services/milter.fc | 4 ++++
policy/modules/services/milter.if | 19 +++++++++++++++++++
policy/modules/services/milter.te | 24 ++++++++++++++++++++++++
policy/modules/services/networkmanager.te | 2 ++
policy/modules/services/xserver.if | 3 +++
policy/modules/system/init.te | 1 +
policy/modules/system/libraries.te | 3 ++-
policy/modules/system/udev.te | 4 +++-
14 files changed, 78 insertions(+), 19 deletions(-)
---
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
index e049042..9bd4f45 100644
--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
@@ -10,7 +10,6 @@
/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/vlc -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 04f5196..58899ca 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -332,8 +332,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
-# Would like to get rid of this but needed to talk to mislabeled tmpfs
-fs_rw_tmpfs_files(mozilla_plugin_t)
+fs_getattr_tmpfs(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
@@ -367,4 +366,3 @@ optional_policy(`
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
')
-
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
index acab1e7..4dd9d05 100644
--- a/policy/modules/apps/nsplugin.if
+++ b/policy/modules/apps/nsplugin.if
@@ -45,27 +45,16 @@ interface(`nsplugin_manage_rw',`
## <summary>
## The per role template for the nsplugin module.
## </summary>
-## <desc>
-## <p>
-## This template creates a derived domains which are used
-## for nsplugin web browser.
-## </p>
-## <p>
-## This template is invoked automatically for each user, and
-## generally does not need to be invoked directly
-## by policy writers.
-## </p>
-## </desc>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
+## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
-## </param>
#
interface(`nsplugin_role_notrans',`
gen_require(`
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ae62211..d58ef64 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -252,6 +252,10 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
ifdef(`hide_broken_symptoms',`
afs_rw_udp_sockets(domain)
')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 177e89c..799db36 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -15,6 +15,13 @@ gen_tunable(allow_unconfined_nsplugin_transition, false)
## <desc>
## <p>
+## Allow vidio playing tools to tun unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
+
+## <desc>
+## <p>
## Allow a user to login as an unconfined domain
## </p>
## </desc>
@@ -436,6 +443,12 @@ optional_policy(`
')
optional_policy(`
+ tunable_policy(`unconfined_login',`
+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
')
')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 4ab36ba..e385f2f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -442,7 +442,7 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
- fs_search_cgroup_dirs($1)
+ fs_search_all($1)
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..613c69d 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,3 +1,6 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
@@ -5,6 +8,7 @@
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index 96cba91..a000225 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -120,3 +120,22 @@ interface(`milter_manage_spamass_state',`
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+
+#######################################
+## <summary>
+## Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 1b6dea0..6ba48ff 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
attribute milter_domains;
attribute milter_data_type;
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
milter_template(greylist)
milter_template(regex)
@@ -20,6 +27,23 @@ milter_template(spamass)
type spamass_milter_state_t;
files_type(spamass_milter_state_t)
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
+
########################################
#
# milter-greylist local policy
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 9677236..45ecee3 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -189,6 +189,8 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+ init_dbus_chat(NetworkManager_t)
+
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0515e6a..4bc9fff 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -38,6 +38,7 @@ interface(`xserver_restricted_role',`
allow $2 user_fonts_t:dir list_dir_perms;
allow $2 user_fonts_t:file read_file_perms;
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
allow $2 user_fonts_config_t:dir list_dir_perms;
allow $2 user_fonts_config_t:file read_file_perms;
@@ -164,6 +165,7 @@ interface(`xserver_role',`
mls_xwin_read_to_clearance($2)
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
manage_files_pattern($2, user_fonts_t, user_fonts_t)
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
@@ -551,6 +553,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9f9b812..a80b4c7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -882,6 +882,7 @@ optional_policy(`
')
optional_policy(`
+ milter_delete_dkim_pid_files(initrc_t)
milter_setattr_all_dirs(initrc_t)
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 561a849..99d7f60 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -153,4 +153,5 @@ optional_policy(`
optional_policy(`
unconfined_domain(ldconfig_t)
-')'
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f99fdcb..9f316ca 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -112,7 +112,9 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
More information about the scm-commits
mailing list