[selinux-policy: 2900/3172] More fixes for mozilla_plugin_t Allow telepathy domains to send themselves sigkill Label /etc/httpd/

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:18:12 UTC 2010 

commit 0b8f4cfe160355e14794461eeba83ee82857be22
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Fri Sep 10 12:10:13 2010 -0400

    More fixes for mozilla_plugin_t
    Allow telepathy domains to send themselves sigkill
    Label /etc/httpd/alias/*db as cert_t
    Allow fprintd to sys_nice

 policy/modules/apps/chrome.te      |    2 ++
 policy/modules/apps/mozilla.te     |   10 ++++++++++
 policy/modules/apps/telepathy.te   |    2 +-
 policy/modules/services/fprintd.te |    4 ++--
 policy/modules/system/miscfiles.fc |    1 +
 5 files changed, 16 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index 90c754f..5725183 100644
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -60,6 +60,8 @@ userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
 miscfiles_read_localization(chrome_sandbox_t)
 miscfiles_read_fonts(chrome_sandbox_t)
 
+sysnet_dontaudit_read_config(chrome_sandbox_t)
+
 optional_policy(`
 	execmem_exec(chrome_sandbox_t)
 ')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ec6a1ff..3018e86 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -315,6 +315,8 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
 kernel_read_kernel_sysctls(mozilla_plugin_t)
 kernel_read_system_state(mozilla_plugin_t)
 kernel_request_load_module(mozilla_plugin_t)
@@ -325,6 +327,8 @@ corecmd_exec_shell(mozilla_plugin_t)
 dev_read_urand(mozilla_plugin_t)
 dev_read_video_dev(mozilla_plugin_t)
 dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
 
 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -345,11 +349,16 @@ userdom_stream_connect(mozilla_plugin_t)
 userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
 
 optional_policy(`
+	alsa_read_rw_config(mozilla_plugin_t)
+')
+
+optional_policy(`
 	dbus_read_lib_files(mozilla_plugin_t)
 ')
 
 optional_policy(`
 	gnome_manage_home_config(mozilla_plugin_t)
+	gnome_setattr_config_dirs(mozilla_plugin_t)
 ')
 
 optional_policy(`
@@ -366,4 +375,5 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
+	xserver_use_user_fonts(mozilla_plugin_t)
 ')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index c7250ae..4aea465 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -275,7 +275,7 @@ optional_policy(`
 # telepathy domains common policy
 #
 
-allow telepathy_domain self:process { getsched signal };
+allow telepathy_domain self:process { getsched signal sigkill };
 allow telepathy_domain self:fifo_file rw_fifo_file_perms;
 allow telepathy_domain self:tcp_socket create_socket_perms;
 allow telepathy_domain self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
index 54fada0..899feaf 100644
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
 # Local policy
 #
 
-allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:capability { sys_nice sys_ptrace };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
+allow fprintd_t self:process { getsched setsched signal };
 
 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 63c1b2f..1f0ccfd 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)*	-- 	gen_context(system_u:object_r:cert_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)

More information about the scm-commits mailing list