[selinux-policy: 2849/3172] Fix sandbox tcp_socket calls to create_stream_socket_perms Dontaudit sandbox_xserver_t trying to get

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:13:38 UTC 2010 

commit c6fa935fd5dcfbce64fd879cb5d55756f1ea4d88
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Aug 31 18:36:43 2010 -0400

    Fix sandbox tcp_socket calls to create_stream_socket_perms
    Dontaudit sandbox_xserver_t trying to get the kernel to load modules
    telepathy_msn sends dbus messages to networkmanager
    mailman_t trys to read /root/.config
    xserver tries to getpgid on processes that start it.
    pam_systemd causes /var/run/users to be called for all login programs.  Must allow them to create directories

 policy/modules/apps/sandbox.te       |    6 ++++--
 policy/modules/apps/telepathy.te     |    3 +++
 policy/modules/services/devicekit.te |    1 +
 policy/modules/services/mailman.te   |    6 +++++-
 policy/modules/services/xserver.if   |    2 ++
 policy/modules/system/authlogin.if   |    1 +
 6 files changed, 16 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index 88a211a..8d4ac56 100644
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -45,6 +45,8 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs
 manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
 fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+
 corecmd_exec_bin(sandbox_xserver_t)
 corecmd_exec_shell(sandbox_xserver_t)
 
@@ -238,7 +240,7 @@ userdom_use_user_ptys(sandbox_x_t)
 #
 # sandbox_x_client_t local policy
 #
-allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
 allow sandbox_x_client_t self:udp_socket create_socket_perms;
 allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
 allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -272,7 +274,7 @@ allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
 allow sandbox_web_type self:process setsched;
 dontaudit sandbox_web_type self:process setrlimit;
 
-allow sandbox_web_type self:tcp_socket create_socket_perms;
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
 allow sandbox_web_type self:udp_socket create_socket_perms;
 allow sandbox_web_type self:dbus { acquire_svc send_msg };
 allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 59867f6..7e8fd3a 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -80,6 +80,9 @@ sysnet_read_config(telepathy_msn_t)
 
 optional_policy(`
         dbus_system_bus_client(telepathy_msn_t)
+	optional_policy(`
+		networkmanager_dbus_chat(telepathy_msn_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index b191ff7..ca3a848 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -239,6 +239,7 @@ files_read_etc_files(devicekit_power_t)
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d572..ac97ed9 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -81,6 +81,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
 	cron_read_pipes(mailman_mail_t)
 ')
 
@@ -125,4 +129,4 @@ optional_policy(`
 
 optional_policy(`
 	su_exec(mailman_queue_t)
-')
\ No newline at end of file
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6ff8f25..a1d911d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1164,6 +1164,8 @@ interface(`xserver_domtrans',`
 
  	allow $1 xserver_t:process siginh;
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+	allow xserver_t $1:process getpgid;
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 06185fd..227958c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -113,6 +113,7 @@ interface(`auth_login_pgm_domain',`
 	userdom_manage_all_users_keys($1)
 
 	files_list_var_lib($1)
+	manage_dirs_pattern($1, var_auth_t, var_auth_t)
 	manage_files_pattern($1, var_auth_t, var_auth_t)
 
 	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)

More information about the scm-commits mailing list