[selinux-policy: 2865/3172] Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent Add mozilla_plugin_tmp_t
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:15:05 UTC 2010
commit ef98a37444a2b4eec9efeef341b93ef6b9afe12e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Sep 3 17:06:40 2010 -0400
Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
Add mozilla_plugin_tmp_t
Allow mozilla_plugin to interact with pulseaudio tmpfs_t
Add apache labels for poodle
Add boolean to allow apache to connect to memcache_port
nagious sends signal and sigkill to system_mail_t
policy/modules/apps/gpg.if | 2 ++
policy/modules/apps/mozilla.te | 12 ++++++++++++
policy/modules/services/apache.fc | 1 +
policy/modules/services/apache.te | 11 +++++++++++
policy/modules/services/dovecot.te | 3 ++-
policy/modules/services/mta.if | 19 +++++++++++++++++++
policy/modules/services/nagios.te | 2 ++
7 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 7c48fc5..13d939a 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -54,6 +54,8 @@ interface(`gpg_role',`
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ allow gpg_pinentry_t $2:fifo_file { read write };
+
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index b2e4e0c..52c2cce 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -39,6 +39,9 @@ type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+
permissive mozilla_plugin_t;
########################################
@@ -298,6 +301,10 @@ allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+
kernel_read_kernel_sysctls(mozilla_plugin_t)
kernel_read_system_state(mozilla_plugin_t)
kernel_request_load_module(mozilla_plugin_t)
@@ -313,11 +320,16 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
+# Would like to get rid of this but needed to talk to mislabeled tmpfs
+fs_rw_tmpfs_files(mozilla_plugin_t)
+
miscfiles_read_localization(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+
optional_policy(`
nsplugin_domtrans(mozilla_plugin_t)
nsplugin_rw_exec(mozilla_plugin_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index b37de8e..a46884d 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -115,6 +115,7 @@ ifdef(`distro_debian', `
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/poodle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 08ec94f..de4388a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -80,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
## <desc>
## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
+## <desc>
+## <p>
## Allow httpd to act as a relay
## </p>
## </desc>
@@ -515,6 +522,10 @@ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
+
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 554ee5a..c771d46 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -265,7 +265,8 @@ read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 01af7c3..a9ebda2 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -440,6 +440,25 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
+## Send system mail client a kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`mta_kill_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process sigkill;
+')
+
+########################################
+## <summary>
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 0c4ac5b..1029389 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -122,6 +122,8 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
+mta_signal_system_mail(nagios_t)
+mta_kill_system_mail(nagios_t)
optional_policy(`
netutils_kill_ping(nagios_t)
More information about the scm-commits
mailing list