[selinux-policy: 2865/3172] Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent Add mozilla_plugin_tmp_t

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:15:05 UTC 2010 

commit ef98a37444a2b4eec9efeef341b93ef6b9afe12e
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Sep 3 17:06:40 2010 -0400

    Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
    Add mozilla_plugin_tmp_t
    Allow mozilla_plugin to interact with pulseaudio tmpfs_t
    Add apache labels for poodle
    Add boolean to allow apache to connect to memcache_port
    nagious sends signal and sigkill to system_mail_t

 policy/modules/apps/gpg.if         |    2 ++
 policy/modules/apps/mozilla.te     |   12 ++++++++++++
 policy/modules/services/apache.fc  |    1 +
 policy/modules/services/apache.te  |   11 +++++++++++
 policy/modules/services/dovecot.te |    3 ++-
 policy/modules/services/mta.if     |   19 +++++++++++++++++++
 policy/modules/services/nagios.te  |    2 ++
 7 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 7c48fc5..13d939a 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -54,6 +54,8 @@ interface(`gpg_role',`
 	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
 
+	allow gpg_pinentry_t $2:fifo_file { read write };
+
 	optional_policy(`
 		gpg_pinentry_dbus_chat($2)
 	')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index b2e4e0c..52c2cce 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -39,6 +39,9 @@ type mozilla_plugin_exec_t;
 application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
 role system_r types mozilla_plugin_t;
 
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+
 permissive mozilla_plugin_t;
 
 ########################################
@@ -298,6 +301,10 @@ allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_
 
 read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+
 kernel_read_kernel_sysctls(mozilla_plugin_t)
 kernel_read_system_state(mozilla_plugin_t)
 kernel_request_load_module(mozilla_plugin_t)
@@ -313,11 +320,16 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
 files_read_config_files(mozilla_plugin_t)
 files_read_usr_files(mozilla_plugin_t)
 
+# Would like to get rid of this but needed to talk to mislabeled tmpfs
+fs_rw_tmpfs_files(mozilla_plugin_t)
+
 miscfiles_read_localization(mozilla_plugin_t)
 
 term_getattr_all_ttys(mozilla_plugin_t)
 term_getattr_all_ptys(mozilla_plugin_t)
 
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+
 optional_policy(`
 	nsplugin_domtrans(mozilla_plugin_t)
 	nsplugin_rw_exec(mozilla_plugin_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index b37de8e..a46884d 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -115,6 +115,7 @@ ifdef(`distro_debian', `
 /var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 
 /var/lib/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/poodle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 
 /var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 08ec94f..de4388a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -80,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
 
 ## <desc>
 ## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
+## <desc>
+## <p>
 ## Allow httpd to act as a relay
 ## </p>
 ## </desc>
@@ -515,6 +522,10 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
+tunable_policy(`httpd_can_network_memcache',`
+	corenet_tcp_connect_memcache_port(httpd_t)
+')
+
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 554ee5a..c771d46 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -265,7 +265,8 @@ read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
 allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
 
 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
 
 can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 01af7c3..a9ebda2 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -440,6 +440,25 @@ interface(`mta_signal_system_mail',`
 
 ########################################
 ## <summary>
+##	Send system mail client a kill signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`mta_kill_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	allow $1 system_mail_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Execute sendmail in the caller domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 0c4ac5b..1029389 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -122,6 +122,8 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
 userdom_dontaudit_search_user_home_dirs(nagios_t)
 
 mta_send_mail(nagios_t)
+mta_signal_system_mail(nagios_t)
+mta_kill_system_mail(nagios_t)
 
 optional_policy(`
 	netutils_kill_ping(nagios_t)

More information about the scm-commits mailing list