[selinux-policy/f18] sandbox_file_t is moved to sandboxX
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 3 10:44:02 UTC 2012
commit 4e81f7a86b2752e37169fcbcc498bca65a28b1a4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 3 12:43:41 2012 +0200
sandbox_file_t is moved to sandboxX
policy_contrib-rawhide.patch | 182 ++++++++++++++++++++++++++++--------------
1 files changed, 122 insertions(+), 60 deletions(-)
---
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index f7d92cd..0d47838 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -30675,7 +30675,7 @@ index b681608..27460d5 100644
term_dontaudit_use_all_ptys(memcached_t)
term_dontaudit_use_all_ttys(memcached_t)
diff --git a/milter.fc b/milter.fc
-index 1ec5a6c..06beeb2 100644
+index 1ec5a6c..9485753 100644
--- a/milter.fc
+++ b/milter.fc
@@ -1,13 +1,21 @@
@@ -30690,7 +30690,7 @@ index 1ec5a6c..06beeb2 100644
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
-+/var/lib/sqlgrey(/.*)? -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
@@ -31940,10 +31940,22 @@ index b397fde..36e1117 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..787adcf 100644
+index d4fcb75..3287b22 100644
--- a/mozilla.te
+++ b/mozilla.te
-@@ -12,14 +12,22 @@ policy_module(mozilla, 2.6.0)
+@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
+
+ ## <desc>
+ ## <p>
++## Allow mozilla plugin domain to connect to the network using TCP.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_can_network_connect, false)
++
++## <desc>
++## <p>
+ ## Allow confined web browsers to read home directory content
+ ## </p>
## </desc>
gen_tunable(mozilla_read_content, false)
@@ -31968,7 +31980,7 @@ index d4fcb75..787adcf 100644
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
-@@ -32,14 +40,26 @@ userdom_user_home_content(mozilla_home_t)
+@@ -32,14 +47,26 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
@@ -31996,7 +32008,7 @@ index d4fcb75..787adcf 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -100,7 +120,6 @@ corecmd_exec_shell(mozilla_t)
+@@ -100,7 +127,6 @@ corecmd_exec_shell(mozilla_t)
corecmd_exec_bin(mozilla_t)
# Browse the web, connect to printer
@@ -32004,7 +32016,7 @@ index d4fcb75..787adcf 100644
corenet_all_recvfrom_netlabel(mozilla_t)
corenet_tcp_sendrecv_generic_if(mozilla_t)
corenet_raw_sendrecv_generic_if(mozilla_t)
-@@ -110,6 +129,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
+@@ -110,6 +136,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
@@ -32012,7 +32024,7 @@ index d4fcb75..787adcf 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -140,7 +160,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
+@@ -140,7 +167,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
@@ -32020,7 +32032,7 @@ index d4fcb75..787adcf 100644
# /var/lib
files_read_var_lib_files(mozilla_t)
# interacting with gstreamer
-@@ -155,38 +174,31 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -155,38 +181,31 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -32034,10 +32046,10 @@ index d4fcb75..787adcf 100644
-# Browse the web, connect to printer
-sysnet_dns_name_resolve(mozilla_t)
+-
+-userdom_use_user_ptys(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
--userdom_use_user_ptys(mozilla_t)
--
-mozilla_run_plugin(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -32068,7 +32080,7 @@ index d4fcb75..787adcf 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -263,6 +275,7 @@ optional_policy(`
+@@ -263,6 +282,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -32076,7 +32088,7 @@ index d4fcb75..787adcf 100644
')
optional_policy(`
-@@ -283,7 +296,8 @@ optional_policy(`
+@@ -283,7 +303,8 @@ optional_policy(`
')
optional_policy(`
@@ -32086,7 +32098,7 @@ index d4fcb75..787adcf 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,25 +311,35 @@ optional_policy(`
+@@ -297,25 +318,35 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -32130,7 +32142,7 @@ index d4fcb75..787adcf 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +347,49 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -323,31 +354,50 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -32164,6 +32176,7 @@ index d4fcb75..787adcf 100644
+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_connect_squid_port(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_ircd_port(mozilla_plugin_t)
+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
@@ -32187,7 +32200,7 @@ index d4fcb75..787adcf 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +398,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +406,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -32195,7 +32208,7 @@ index d4fcb75..787adcf 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,15 +406,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,15 +414,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -32219,7 +32232,7 @@ index d4fcb75..787adcf 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -380,39 +431,29 @@ miscfiles_read_generic_certs(mozilla_plugin_t)
+@@ -380,38 +439,32 @@ miscfiles_read_generic_certs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
@@ -32261,17 +32274,18 @@ index d4fcb75..787adcf 100644
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
--')
-+userdom_home_manager(mozilla_plugin_t)
++tunable_policy(`mozilla_plugin_can_network_connect',`
++ corenet_tcp_connect_unreserved_ports(mozilla_plugin_t)
+ ')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,24 +463,37 @@ optional_policy(`
+@@ -422,24 +475,37 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -32313,7 +32327,7 @@ index d4fcb75..787adcf 100644
')
optional_policy(`
-@@ -447,10 +501,109 @@ optional_policy(`
+@@ -447,10 +513,109 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -32326,13 +32340,13 @@ index d4fcb75..787adcf 100644
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
')
optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
@@ -39522,21 +39536,21 @@ index b246bdd..99f27c0 100644
files_read_etc_files(pads_t)
files_search_spool(pads_t)
diff --git a/passenger.fc b/passenger.fc
-index 545518d..7d5bf4c 100644
+index 545518d..1f3251d 100644
--- a/passenger.fc
+++ b/passenger.fc
-@@ -3,6 +3,11 @@
- /usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
- /usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+@@ -1,7 +1,7 @@
+-/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+-/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
- /var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
diff --git a/passenger.if b/passenger.if
index f68b573..8fb9cd3 100644
--- a/passenger.if
@@ -48390,10 +48404,10 @@ index 0000000..48ea717
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..5b97fd2
+index 0000000..06fb852
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,48 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -48416,6 +48430,7 @@ index 0000000..5b97fd2
+domain_use_interactive_fds(realmd_t)
+
+files_read_etc_files(realmd_t)
++files_read_usr_files(realmd_t)
+
+logging_send_syslog_msg(realmd_t)
+
@@ -53084,10 +53099,10 @@ index 0000000..ad91dbe
+')
diff --git a/sandbox.te b/sandbox.te
new file mode 100644
-index 0000000..8c8db69
+index 0000000..8213fab
--- /dev/null
+++ b/sandbox.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,63 @@
+policy_module(sandbox,1.0.0)
+
+attribute sandbox_domain;
@@ -53118,14 +53133,12 @@ index 0000000..8c8db69
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
-+can_exec(sandbox_domain, sandbox_file_t)
-+allow sandbox_domain sandbox_file_t:filesystem getattr;
-+manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
-+dontaudit sandbox_domain sandbox_file_t:dir mounton;
++# sandbox_file_t was moved to sandboxX.te
++optional_policy(`
++ sandbox_exec_file(sandbox_domain)
++ sandbox_manage_content(sandbox_domain)
++ sandbox_dontaudit_mounton(sandbox_domain)
++')
+
+gen_require(`
+ type usr_t, lib_t, locale_t, device_t;
@@ -53163,10 +53176,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..7ff4d37
+index 0000000..81fb843
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,389 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -53520,6 +53533,42 @@ index 0000000..7ff4d37
+
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
+')
++
++#######################################
++## <summary>
++## Allow domain to execute sandbox_file_t in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sandbox_exec_file',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ can_exec($1, sandbox_file_t)
++')
++
++######################################
++## <summary>
++## Allow domain to execute sandbox_file_t in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sandbox_dontaudit_mounton',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ dontaudit $1 sandbox_file_t:dir mounton;
++')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..d091645
@@ -57673,7 +57722,7 @@ index 4271815..fb5520f 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..ff89df6 100644
+index 941380a..a178ad0 100644
--- a/sssd.if
+++ b/sssd.if
@@ -5,9 +5,9 @@
@@ -57688,7 +57737,7 @@ index 941380a..ff89df6 100644
## </param>
#
interface(`sssd_domtrans',`
-@@ -36,6 +36,63 @@ interface(`sssd_initrc_domtrans',`
+@@ -36,6 +36,64 @@ interface(`sssd_initrc_domtrans',`
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
@@ -57708,6 +57757,7 @@ index 941380a..ff89df6 100644
+ ')
+
+ files_search_etc($1)
++ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
+ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
+')
+
@@ -57752,7 +57802,7 @@ index 941380a..ff89df6 100644
########################################
## <summary>
## Read sssd public files.
-@@ -89,6 +146,7 @@ interface(`sssd_manage_pids',`
+@@ -89,6 +147,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
@@ -57760,7 +57810,7 @@ index 941380a..ff89df6 100644
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
-@@ -128,7 +186,6 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -128,7 +187,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
@@ -57768,7 +57818,7 @@ index 941380a..ff89df6 100644
')
########################################
-@@ -148,6 +205,7 @@ interface(`sssd_read_lib_files',`
+@@ -148,6 +206,7 @@ interface(`sssd_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -57776,7 +57826,7 @@ index 941380a..ff89df6 100644
')
########################################
-@@ -168,6 +226,7 @@ interface(`sssd_manage_lib_files',`
+@@ -168,6 +227,7 @@ interface(`sssd_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -57784,7 +57834,7 @@ index 941380a..ff89df6 100644
')
########################################
-@@ -193,7 +252,7 @@ interface(`sssd_dbus_chat',`
+@@ -193,7 +253,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -57793,7 +57843,7 @@ index 941380a..ff89df6 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +284,18 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +285,18 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -61693,6 +61743,18 @@ index f9310f3..e830a59 100644
fs_getattr_all_fs(varnishd_t)
auth_use_nsswitch(varnishd_t)
+diff --git a/vbetool.te b/vbetool.te
+index 001c93c..46d90da 100644
+--- a/vbetool.te
++++ b/vbetool.te
+@@ -22,6 +22,7 @@ init_system_domain(vbetool_t, vbetool_exec_t)
+ #
+
+ allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
++allow vbetool_t self:capability2 { secure_firmware };
+ allow vbetool_t self:process execmem;
+
+ dev_wx_raw_memory(vbetool_t)
diff --git a/vdagent.fc b/vdagent.fc
index 21c5f41..3ae71ae 100644
--- a/vdagent.fc
More information about the scm-commits
mailing list