Fix fusefs handling
Do not allow sandbox to manage nsplugin_rw_t Allow mozilla_plugin_t to connecto its parent Allow init_t to connect to plymouthd running as kernel_t
This commit is contained in:
Dan Walsh
parent
d1c6ba20d5
commit
55e9f0e79c
@ -235,6 +235,7 @@ interface(`mozilla_run_plugin',`
|
|||||||
|
|
||||||
mozilla_domtrans_plugin($1)
|
mozilla_domtrans_plugin($1)
|
||||||
role $2 types mozilla_plugin_t;
|
role $2 types mozilla_plugin_t;
|
||||||
|
allow $2 mozilla_plugin_t:unix_stream_socket connectto;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|||||||
@ -363,7 +363,6 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
nsplugin_read_rw_files(sandbox_web_type)
|
nsplugin_read_rw_files(sandbox_web_type)
|
||||||
nsplugin_rw_exec(sandbox_web_type)
|
nsplugin_rw_exec(sandbox_web_type)
|
||||||
nsplugin_manage_rw(sandbox_web_type)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|||||||
@ -364,6 +364,7 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|||||||
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow httpd_t self:udp_socket create_socket_perms;
|
allow httpd_t self:udp_socket create_socket_perms;
|
||||||
|
dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
|
||||||
|
|
||||||
# Allow httpd_t to put files in /var/cache/httpd etc
|
# Allow httpd_t to put files in /var/cache/httpd etc
|
||||||
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
||||||
|
|||||||
@ -375,7 +375,6 @@ ifdef(`hide_broken_symptoms',`
|
|||||||
|
|
||||||
tunable_policy(`use_fusefs_home_dirs',`
|
tunable_policy(`use_fusefs_home_dirs',`
|
||||||
fs_manage_fusefs_files(xauth_t)
|
fs_manage_fusefs_files(xauth_t)
|
||||||
fs_read_fusefs_symlinks(xauth_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
@ -673,8 +672,6 @@ ifdef(`distro_rhel4',`
|
|||||||
tunable_policy(`use_fusefs_home_dirs',`
|
tunable_policy(`use_fusefs_home_dirs',`
|
||||||
fs_manage_fusefs_dirs(xdm_t)
|
fs_manage_fusefs_dirs(xdm_t)
|
||||||
fs_manage_fusefs_files(xdm_t)
|
fs_manage_fusefs_files(xdm_t)
|
||||||
fs_manage_fusefs_symlinks(xdm_t)
|
|
||||||
fs_exec_fusefs_files(xdm_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
@ -1170,7 +1167,6 @@ tunable_policy(`use_nfs_home_dirs',`
|
|||||||
tunable_policy(`use_fusefs_home_dirs',`
|
tunable_policy(`use_fusefs_home_dirs',`
|
||||||
fs_manage_fusefs_dirs(xserver_t)
|
fs_manage_fusefs_dirs(xserver_t)
|
||||||
fs_manage_fusefs_files(xserver_t)
|
fs_manage_fusefs_files(xserver_t)
|
||||||
fs_manage_fusefs_symlinks(xserver_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
tunable_policy(`use_samba_home_dirs',`
|
||||||
|
|||||||
@ -139,6 +139,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
|||||||
|
|
||||||
kernel_read_system_state(init_t)
|
kernel_read_system_state(init_t)
|
||||||
kernel_share_state(init_t)
|
kernel_share_state(init_t)
|
||||||
|
kernel_stream_connect(init_t)
|
||||||
|
|
||||||
corecmd_exec_chroot(init_t)
|
corecmd_exec_chroot(init_t)
|
||||||
corecmd_exec_bin(init_t)
|
corecmd_exec_bin(init_t)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user