[selinux-policy: 2849/3172] Fix sandbox tcp_socket calls to create_stream_socket_perms Dontaudit sandbox_xserver_t trying to get
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:13:38 UTC 2010
commit c6fa935fd5dcfbce64fd879cb5d55756f1ea4d88
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 31 18:36:43 2010 -0400
Fix sandbox tcp_socket calls to create_stream_socket_perms
Dontaudit sandbox_xserver_t trying to get the kernel to load modules
telepathy_msn sends dbus messages to networkmanager
mailman_t trys to read /root/.config
xserver tries to getpgid on processes that start it.
pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories
policy/modules/apps/sandbox.te | 6 ++++--
policy/modules/apps/telepathy.te | 3 +++
policy/modules/services/devicekit.te | 1 +
policy/modules/services/mailman.te | 6 +++++-
policy/modules/services/xserver.if | 2 ++
policy/modules/system/authlogin.if | 1 +
6 files changed, 16 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index 88a211a..8d4ac56 100644
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -45,6 +45,8 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs
manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+
corecmd_exec_bin(sandbox_xserver_t)
corecmd_exec_shell(sandbox_xserver_t)
@@ -238,7 +240,7 @@ userdom_use_user_ptys(sandbox_x_t)
#
# sandbox_x_client_t local policy
#
-allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
allow sandbox_x_client_t self:udp_socket create_socket_perms;
allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -272,7 +274,7 @@ allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
allow sandbox_web_type self:process setsched;
dontaudit sandbox_web_type self:process setrlimit;
-allow sandbox_web_type self:tcp_socket create_socket_perms;
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
allow sandbox_web_type self:udp_socket create_socket_perms;
allow sandbox_web_type self:dbus { acquire_svc send_msg };
allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 59867f6..7e8fd3a 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -80,6 +80,9 @@ sysnet_read_config(telepathy_msn_t)
optional_policy(`
dbus_system_bus_client(telepathy_msn_t)
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_msn_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index b191ff7..ca3a848 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -239,6 +239,7 @@ files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index af4d572..ac97ed9 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -81,6 +81,10 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
cron_read_pipes(mailman_mail_t)
')
@@ -125,4 +129,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
-')
\ No newline at end of file
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6ff8f25..a1d911d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1164,6 +1164,8 @@ interface(`xserver_domtrans',`
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
')
########################################
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 06185fd..227958c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -113,6 +113,7 @@ interface(`auth_login_pgm_domain',`
userdom_manage_all_users_keys($1)
files_list_var_lib($1)
+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
More information about the scm-commits
mailing list