Fix fusefs handling

Do not allow sandbox to manage nsplugin_rw_t Allow mozilla_plugin_t to connecto its parent Allow init_t to connect to plymouthd running as kernel_t
2010-10-06 09:03:28 -04:00 · 2010-10-06 09:03:28 -04:00 · 55e9f0e79c
commit 55e9f0e79c
parent d1c6ba20d5
5 changed files with 3 additions and 5 deletions
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -235,6 +235,7 @@ interface(`mozilla_run_plugin',`

 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
+	allow $2 mozilla_plugin_t:unix_stream_socket connectto;
 ')

 ########################################
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@ -363,7 +363,6 @@ optional_policy(`
 optional_policy(`
 	nsplugin_read_rw_files(sandbox_web_type)
 	nsplugin_rw_exec(sandbox_web_type)
-	nsplugin_manage_rw(sandbox_web_type)
 ')

 optional_policy(`
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -364,6 +364,7 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow httpd_t self:tcp_socket create_stream_socket_perms;
 allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;

 # Allow httpd_t to put files in /var/cache/httpd etc
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -375,7 +375,6 @@ ifdef(`hide_broken_symptoms',`

 tunable_policy(`use_fusefs_home_dirs',`
 	fs_manage_fusefs_files(xauth_t)
-	fs_read_fusefs_symlinks(xauth_t)
 ')

 tunable_policy(`use_nfs_home_dirs',`
@ -673,8 +672,6 @@ ifdef(`distro_rhel4',`
 tunable_policy(`use_fusefs_home_dirs',`
 	fs_manage_fusefs_dirs(xdm_t)
 	fs_manage_fusefs_files(xdm_t)
-	fs_manage_fusefs_symlinks(xdm_t)
-	fs_exec_fusefs_files(xdm_t)
 ')

 tunable_policy(`use_nfs_home_dirs',`
@ -1170,7 +1167,6 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_fusefs_home_dirs',`
 	fs_manage_fusefs_dirs(xserver_t)
 	fs_manage_fusefs_files(xserver_t)
-	fs_manage_fusefs_symlinks(xserver_t)
 ')

 tunable_policy(`use_samba_home_dirs',`
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -139,6 +139,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };

 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
+kernel_stream_connect(init_t)

 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)