From 79bff2bb38a3054376d6179f3f1105c3540092f6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 28 Sep 2010 16:24:56 -0400 Subject: [PATCH] Allow mozilla_plugin to manage all gnome config files Allow nsplugin_t to read lnk files in nsplugin_rw_t New labeling for packagekit scripts to bin_t Allow mount_t to delete etc_t Allow fsdaemon_t to read usr_t files --- policy/modules/apps/mozilla.te | 7 +++++-- policy/modules/apps/nsplugin.te | 4 ++-- policy/modules/kernel/corecommands.fc | 2 ++ policy/modules/services/smartmon.te | 1 + policy/modules/system/mount.te | 5 +++-- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 5c3200a6..3ecd99bf 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -346,6 +346,8 @@ fs_getattr_tmpfs(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) +sysnet_dns_name_resolve(mozilla_plugin_t) + term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -371,7 +373,7 @@ optional_policy(` ') optional_policy(` - gnome_manage_home_config(mozilla_plugin_t) + gnome_manage_config(mozilla_plugin_t) gnome_setattr_home_config(mozilla_plugin_t) ') @@ -380,11 +382,12 @@ optional_policy(` nsplugin_rw_exec(mozilla_plugin_t) nsplugin_manage_home_dirs(mozilla_plugin_t) nsplugin_manage_home_files(mozilla_plugin_t) - nsplugin_user_home_dir_filetrans(mozilla_plugin_t) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) nsplugin_signal(mozilla_plugin_t) ') optional_policy(` + pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_rw_home_files(mozilla_plugin_t) ') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te index 7bc0dcff..594e5d9b 100644 --- a/policy/modules/apps/nsplugin.te +++ b/policy/modules/apps/nsplugin.te @@ -63,8 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms; allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow nsplugin_t self:unix_dgram_socket create_socket_perms; allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; -read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) +read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) +read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) tunable_policy(`allow_nsplugin_execmem',` allow nsplugin_t self:process { execstack execmem }; diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 794a0ebc..38d675cc 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -74,6 +74,8 @@ ifdef(`distro_redhat',` /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/PackageKit/events(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 894f62d7..6f49778c 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -72,6 +72,7 @@ files_exec_etc_files(fsdaemon_t) files_read_etc_runtime_files(fsdaemon_t) # for config files_read_etc_files(fsdaemon_t) +files_read_usr_files(fsdaemon_t) fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 0fcd4e7f..8848e140 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -112,16 +112,17 @@ files_search_all(mount_t) files_read_etc_files(mount_t) files_manage_etc_runtime_files(mount_t) files_etc_filetrans_etc_runtime(mount_t, file) +# for when /etc/mtab loses its type +files_delete_etc_files(mount_t) files_mounton_all_mountpoints(mount_t) # ntfs-3g checks whether the mountpoint is writable before mounting files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) + # These rules need to be generalized. Only admin, initrc should have it: files_relabel_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t)