[selinux-policy: 3155/3172] Allow mozilla_plugin to manage all gnome config files Allow nsplugin_t to read lnk files in nsplugin

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:40:30 UTC 2010 

commit 79bff2bb38a3054376d6179f3f1105c3540092f6
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Sep 28 16:24:56 2010 -0400

    Allow mozilla_plugin to manage all gnome config files
    Allow nsplugin_t to read lnk files in nsplugin_rw_t
    New labeling for packagekit scripts to bin_t
    Allow mount_t to delete etc_t
    Allow fsdaemon_t to read usr_t files

 policy/modules/apps/mozilla.te        |    7 +++++--
 policy/modules/apps/nsplugin.te       |    4 ++--
 policy/modules/kernel/corecommands.fc |    2 ++
 policy/modules/services/smartmon.te   |    1 +
 policy/modules/system/mount.te        |    5 +++--
 5 files changed, 13 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 5c3200a..3ecd99b 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -346,6 +346,8 @@ fs_getattr_tmpfs(mozilla_plugin_t)
 miscfiles_read_localization(mozilla_plugin_t)
 miscfiles_read_fonts(mozilla_plugin_t)
 
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
 term_getattr_all_ttys(mozilla_plugin_t)
 term_getattr_all_ptys(mozilla_plugin_t)
 
@@ -371,7 +373,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_manage_home_config(mozilla_plugin_t)
+	gnome_manage_config(mozilla_plugin_t)
 	gnome_setattr_home_config(mozilla_plugin_t)
 ')
 
@@ -380,11 +382,12 @@ optional_policy(`
 	nsplugin_rw_exec(mozilla_plugin_t)
 	nsplugin_manage_home_dirs(mozilla_plugin_t)
 	nsplugin_manage_home_files(mozilla_plugin_t)
-	nsplugin_user_home_dir_filetrans(mozilla_plugin_t)
+	nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
 	nsplugin_signal(mozilla_plugin_t)
 ')
 
 optional_policy(`
+	pulseaudio_setattr_home_dir(mozilla_plugin_t)
 	pulseaudio_rw_home_files(mozilla_plugin_t)
 ')
 
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index 7bc0dcf..594e5d9 100644
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -63,8 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms;
 allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow nsplugin_t self:unix_dgram_socket create_socket_perms;
 allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
-read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
 
 tunable_policy(`allow_nsplugin_execmem',`
 	allow nsplugin_t self:process { execstack execmem };
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 794a0eb..38d675c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -74,6 +74,8 @@ ifdef(`distro_redhat',`
 
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
 
+/etc/PackageKit/events(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+
 /etc/pm/power\.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/pm/sleep\.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 894f62d..6f49778 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -72,6 +72,7 @@ files_exec_etc_files(fsdaemon_t)
 files_read_etc_runtime_files(fsdaemon_t)
 # for config
 files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
 
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0fcd4e7..8848e14 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -112,16 +112,17 @@ files_search_all(mount_t)
 files_read_etc_files(mount_t)
 files_manage_etc_runtime_files(mount_t)
 files_etc_filetrans_etc_runtime(mount_t, file)
+# for when /etc/mtab loses its type
+files_delete_etc_files(mount_t)
 files_mounton_all_mountpoints(mount_t)
 # ntfs-3g checks whether the mountpoint is writable before mounting
 files_write_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
+
 # These rules need to be generalized.  Only admin, initrc should have it:
 files_relabel_all_file_type_fs(mount_t)
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
 files_read_isid_type_files(mount_t)
 # For reading cert files
 files_read_usr_files(mount_t)

More information about the scm-commits mailing list