- More fixes for sandbox_web_t
This commit is contained in:
Daniel J Walsh
parent
ab462917cf
commit
2bf7d82f60
@ -2465,8 +2465,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-17 12:55:18.000000000 -0400
|
+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-18 21:30:00.000000000 -0400
|
||||||
@@ -0,0 +1,318 @@
|
@@ -0,0 +1,319 @@
|
||||||
+
|
+
|
||||||
+## <summary>policy for nsplugin</summary>
|
+## <summary>policy for nsplugin</summary>
|
||||||
+
|
+
|
||||||
@ -2706,6 +2706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+ type nsplugin_rw_t;
|
+ type nsplugin_rw_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
|
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
||||||
+')
|
+')
|
||||||
@ -3809,8 +3810,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-18 11:29:38.000000000 -0400
|
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-18 21:31:34.000000000 -0400
|
||||||
@@ -0,0 +1,323 @@
|
@@ -0,0 +1,324 @@
|
||||||
+policy_module(sandbox,1.0.0)
|
+policy_module(sandbox,1.0.0)
|
||||||
+dbus_stub()
|
+dbus_stub()
|
||||||
+attribute sandbox_domain;
|
+attribute sandbox_domain;
|
||||||
@ -3946,7 +3947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
+
|
+
|
||||||
+files_search_home(sandbox_x_domain)
|
+files_search_home(sandbox_x_domain)
|
||||||
+files_dontaudit_getattr_tmp_dirs(sandbox_x_domain)
|
+files_dontaudit_list_tmp(sandbox_x_domain)
|
||||||
+
|
+
|
||||||
+kernel_read_system_state(sandbox_x_domain)
|
+kernel_read_system_state(sandbox_x_domain)
|
||||||
+
|
+
|
||||||
@ -4061,6 +4062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
|
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
|
||||||
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
|
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
|
||||||
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
|
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
|
||||||
|
+corenet_tcp_connect_sound_port(sandbox_web_client_t)
|
||||||
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
|
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
|
||||||
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
|
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
|
||||||
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
|
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
|
||||||
@ -5319,7 +5321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
|
||||||
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 17:16:00.000000000 -0400
|
+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 21:30:50.000000000 -0400
|
||||||
@@ -110,6 +110,11 @@
|
@@ -110,6 +110,11 @@
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -14536,6 +14538,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
hostname_exec(pptp_t)
|
hostname_exec(pptp_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
|
||||||
|
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400
|
||||||
|
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-09-18 21:24:50.000000000 -0400
|
||||||
|
@@ -123,6 +123,7 @@
|
||||||
|
# prelude_audisp local policy
|
||||||
|
#
|
||||||
|
allow prelude_audisp_t self:capability dac_override;
|
||||||
|
+allow prelude_audisp_t self:process { getcap setcap };
|
||||||
|
allow prelude_audisp_t self:fifo_file rw_file_perms;
|
||||||
|
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te
|
||||||
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400
|
||||||
+++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-16 10:03:09.000000000 -0400
|
+++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-16 10:03:09.000000000 -0400
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user