[selinux-policy: 3159/3172] Allow unconfined_t to transition to alsa_t to make sure labels stay correct Lots of fixes for mozill
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:40:58 UTC 2010
commit ddd1ccaa9394dbe6b407192d892c9d461caa4c08
Author: Dan Walsh <dwalsh at redhat.com>
Date: Sun Oct 3 07:48:01 2010 -0400
Allow unconfined_t to transition to alsa_t to make sure labels stay correct
Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge
telepath_msn_t tries to read /proc/1/exe
Allow smokeping cgi scripts to create /var/lib/smokeping dirs.
Allow smbd_t to getquota on multiple file systems
policy/modules/admin/alsa.if | 26 +++++++++++++++++++++
policy/modules/apps/mozilla.if | 39 ++++++++++++++++++++++++++++++-
policy/modules/apps/mozilla.te | 3 ++
policy/modules/apps/nsplugin.fc | 1 +
policy/modules/apps/nsplugin.te | 3 ++
policy/modules/apps/qemu.if | 2 +-
policy/modules/apps/telepathy.te | 2 +
policy/modules/roles/unconfineduser.te | 21 +++++++---------
policy/modules/services/apache.te | 2 +-
policy/modules/services/samba.te | 1 +
policy/modules/services/smokeping.te | 1 +
policy/modules/system/authlogin.if | 19 ---------------
12 files changed, 85 insertions(+), 35 deletions(-)
---
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..20d51d0 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -21,6 +21,32 @@ interface(`alsa_domtrans',`
########################################
## <summary>
+## Execute a domain transition to run
+## Alsa, and allow the specified role
+## the Alsa domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_run',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ alsa_domtrans($1)
+ role $2 types alsa_t;
+')
+
+########################################
+## <summary>
## Read and write Alsa semaphores.
## </summary>
## <param name="domain">
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 47aa143..dfac7cc 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,7 +29,7 @@ interface(`mozilla_role',`
allow mozilla_t $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
- mozilla_plugin_run(mozilla_t, $2)
+ mozilla_run_plugin(mozilla_t, $2)
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
@@ -140,6 +140,24 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
########################################
## <summary>
+## Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_execute_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ can_exec($1, mozilla_home_t)
+')
+
+########################################
+## <summary>
## Execmod mozilla home directory content.
## </summary>
## <param name="domain">
@@ -190,6 +208,7 @@ interface(`mozilla_domtrans_plugin',`
')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
')
@@ -216,8 +235,24 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+')
- allow mozilla_plugin_t $1:process signull;
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the mozilla_plugin domain.
+## </summary>
+## </param>
+#
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ role $1 types mozilla_plugin_t;
')
########################################
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 70d899d..cc87b60 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -312,6 +312,7 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -365,6 +366,7 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
userdom_delete_user_tmpfs_files(mozilla_plugin_t)
userdom_stream_connect(mozilla_plugin_t)
userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
userdom_list_user_tmp(mozilla_plugin_t)
userdom_read_user_tmp_files(mozilla_plugin_t)
@@ -408,4 +410,5 @@ optional_policy(`
xserver_read_xdm_pid(mozilla_plugin_t)
xserver_stream_connect(mozilla_plugin_t)
xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
')
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
index 63abc5c..717eb3f 100644
--- a/policy/modules/apps/nsplugin.fc
+++ b/policy/modules/apps/nsplugin.fc
@@ -1,5 +1,6 @@
HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index 4e8a49e..1ca0e76 100644
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -129,6 +129,7 @@ fs_getattr_xattr_fs(nsplugin_t)
fs_search_auto_mountpoints(nsplugin_t)
fs_rw_anon_inodefs_files(nsplugin_t)
fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
storage_dontaudit_getattr_removable_dev(nsplugin_t)
@@ -180,6 +181,7 @@ optional_policy(`
')
optional_policy(`
+ mozilla_execute_user_home_files(nsplugin_t)
mozilla_read_user_home_files(nsplugin_t)
mozilla_write_user_home_files(nsplugin_t)
')
@@ -225,6 +227,7 @@ allow nsplugin_config_t self:fifo_file rw_file_perms;
allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
fs_search_auto_mountpoints(nsplugin_config_t)
fs_list_inotifyfs(nsplugin_config_t)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 8d8d961..f4e1572 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -339,7 +339,7 @@ interface(`qemu_spec_domtrans',`
## </summary>
## <param name="role">
## <summary>
-## The role to allow the PAM domain.
+## The role to allow the qemu unconfined domain.
## </summary>
## </param>
#
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 34a2b48..0b28cf8 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -77,6 +77,8 @@ files_read_usr_files(telepathy_msn_t)
auth_use_nsswitch(telepathy_msn_t)
+init_read_state(telepathy_msn_t)
+
libs_exec_ldconfig(telepathy_msn_t)
logging_send_syslog_msg(telepathy_msn_t)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 0e47a85..31bbe95 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -22,13 +22,6 @@ gen_tunable(unconfined_mozilla_plugin_transition, false)
## <desc>
## <p>
-## Transition unconfined user to telepathy confined domains.
-## </p>
-## </desc>
-gen_tunable(unconfined_telepathy_transition, false)
-
-## <desc>
-## <p>
## Allow vidio playing tools to tun unconfined
## </p>
## </desc>
@@ -227,6 +220,10 @@ optional_policy(`
')
optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
apache_run_helper(unconfined_t, unconfined_r)
')
@@ -341,8 +338,10 @@ optional_policy(`
optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
tunable_policy(`unconfined_mozilla_plugin_transition', `
- mozilla_run_plugin(unconfined_usertype, unconfined_r)
+ mozilla_domtrans_plugin(unconfined_usertype)
')
')
@@ -373,7 +372,7 @@ optional_policy(`
qemu_domtrans(unconfined_t)
',`
qemu_domtrans_unconfined(unconfined_t)
-')
+ ')
')
optional_policy(`
@@ -404,9 +403,7 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`unconfined_telepathy_transition', `
- telepathy_dbus_session_role(unconfined_r, unconfined_t)
- ')
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
')
optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 300dffb..411a3ff 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -765,7 +765,7 @@ optional_policy(`
')
optional_policy(`
- smokeping_getattr_lib_files(httpd_t)
+ smokeping_read_lib_files(httpd_t)
')
optional_policy(`
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e4334a6..8e36be0 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -325,6 +325,7 @@ fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
+fs_get_all_fs_quotas(smbd_t)
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 058bfc9..247beaf 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -65,6 +65,7 @@ optional_policy(`
allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 149e383..c411b5e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1432,25 +1432,6 @@ interface(`auth_read_login_records',`
########################################
## <summary>
-## Read login records files (/var/log/wtmp).
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_dontaudit_read_login_records',`
- gen_require(`
- type wtmp_t;
- ')
-
- dontaudit $1 wtmp_t:file read_file_perms;
-')
-
-########################################
-## <summary>
## Do not audit attempts to read login records
## files (/var/log/wtmp).
## </summary>
More information about the scm-commits
mailing list