More fixes for mozilla_plugin_t

Allow telepathy domains to send themselves sigkill Label /etc/httpd/alias/*db as cert_t Allow fprintd to sys_nice
2010-09-10 12:10:13 -04:00 · 2010-09-10 12:10:13 -04:00 · 0b8f4cfe16
commit 0b8f4cfe16
parent 1a82786cc8
5 changed files with 16 additions and 3 deletions
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@ -60,6 +60,8 @@ userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
 miscfiles_read_localization(chrome_sandbox_t)
 miscfiles_read_fonts(chrome_sandbox_t)

+sysnet_dontaudit_read_config(chrome_sandbox_t)
+
 optional_policy(`
 	execmem_exec(chrome_sandbox_t)
 ')
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -315,6 +315,8 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })

+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
 kernel_read_kernel_sysctls(mozilla_plugin_t)
 kernel_read_system_state(mozilla_plugin_t)
 kernel_request_load_module(mozilla_plugin_t)
@ -325,6 +327,8 @@ corecmd_exec_shell(mozilla_plugin_t)
 dev_read_urand(mozilla_plugin_t)
 dev_read_video_dev(mozilla_plugin_t)
 dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)

 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@ -344,12 +348,17 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 userdom_stream_connect(mozilla_plugin_t)
 userdom_dontaudit_use_user_ptys(mozilla_plugin_t)

+optional_policy(`
+	alsa_read_rw_config(mozilla_plugin_t)
+')
+
 optional_policy(`
 	dbus_read_lib_files(mozilla_plugin_t)
 ')

 optional_policy(`
 	gnome_manage_home_config(mozilla_plugin_t)
+	gnome_setattr_config_dirs(mozilla_plugin_t)
 ')

 optional_policy(`
@ -366,4 +375,5 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
+	xserver_use_user_fonts(mozilla_plugin_t)
 ')
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@ -275,7 +275,7 @@ optional_policy(`
 # telepathy domains common policy
 #

-allow telepathy_domain self:process { getsched signal };
+allow telepathy_domain self:process { getsched signal sigkill };
 allow telepathy_domain self:fifo_file rw_fifo_file_perms;
 allow telepathy_domain self:tcp_socket create_socket_perms;
 allow telepathy_domain self:udp_socket create_socket_perms;
--- a/policy/modules/services/fprintd.te
+++ b/policy/modules/services/fprintd.te
@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t)
 # Local policy
 #

-allow fprintd_t self:capability sys_ptrace;
+allow fprintd_t self:capability { sys_nice sys_ptrace };
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
-allow fprintd_t self:process { getsched signal };
+allow fprintd_t self:process { getsched setsched signal };

 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
 manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@ -11,6 +11,7 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)*	-- 	gen_context(system_u:object_r:cert_t,s0)

 ifdef(`distro_redhat',`
 /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)