From 4e6b3f6dd9a8092b3afbaa8ea6c6db3eccf789d9 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 27 Sep 2010 10:21:54 -0400
Subject: [PATCH] Fixes to allow mozilla_plugin_t to create nsplugin_home_t
 directory. Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
 Allow confined users to read xdm_etc_t files Allow xdm_t to transition to
 xauth_t for lxdm program

---
 policy/modules/apps/mozilla.te     | 14 +++++++++++++-
 policy/modules/apps/nsplugin.if    | 25 +++++++++++++++++++++++++
 policy/modules/services/xserver.if |  1 +
 policy/modules/services/xserver.te |  1 +
 4 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 0b1ca38a..5c3200a6 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -297,14 +297,17 @@ optional_policy(`
 # mozilla_plugin local policy
 #
 allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
 
 allow mozilla_plugin_t self:sem create_sem_perms;
 allow mozilla_plugin_t self:shm create_shm_perms;
 allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
 allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 
-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 can_exec(mozilla_plugin_t, mozilla_home_t)
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 
 manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -330,6 +333,7 @@ dev_read_video_dev(mozilla_plugin_t)
 dev_read_sysfs(mozilla_plugin_t)
 dev_read_sound(mozilla_plugin_t)
 dev_write_sound(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
 
 domain_use_interactive_fds(mozilla_plugin_t)
 domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -349,13 +353,20 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 userdom_stream_connect(mozilla_plugin_t)
 userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+
+userdom_list_user_tmp(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
 userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 
 optional_policy(`
 	alsa_read_rw_config(mozilla_plugin_t)
 ')
 
 optional_policy(`
+	dbus_session_bus_client(mozilla_plugin_t)
 	dbus_read_lib_files(mozilla_plugin_t)
 ')
 
@@ -369,6 +380,7 @@ optional_policy(`
 	nsplugin_rw_exec(mozilla_plugin_t)
 	nsplugin_manage_home_dirs(mozilla_plugin_t)
 	nsplugin_manage_home_files(mozilla_plugin_t)
+	nsplugin_user_home_dir_filetrans(mozilla_plugin_t)
 	nsplugin_signal(mozilla_plugin_t)
 ')
 
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
index 94397463..4dbb1616 100644
--- a/policy/modules/apps/nsplugin.if
+++ b/policy/modules/apps/nsplugin.if
@@ -409,3 +409,28 @@ interface(`nsplugin_signal',`
 
 	allow $1 nsplugin_t:process signal;
 ')
+
+########################################
+## <summary>
+##	Create objects in a user home directory
+##	with an automatic type transition to
+##	the nsplugin home file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+	gen_require(`
+		type nsplugin_home_t;
+	')
+
+	userdom_user_home_content_filetrans($1, nsplugin_home_t,  $2)
+')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index ef2a773d..f9636424 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -114,6 +114,7 @@ interface(`xserver_restricted_role',`
 	xserver_create_xdm_tmp_sockets($2)
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
+	xserver_read_xdm_etc_files($2)
 
 	ifdef(`hide_broken_symptoms',`
 		dontaudit iceauth_t $2:socket_class_set { read write };
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c80794bc..6c6f684f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -650,6 +650,7 @@ application_signal(xdm_t)
 
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
+xserver_domtrans_xauth(xdm_t)
 
 ifndef(`distro_redhat',`
 	allow xdm_t self:process { execheap execmem };