- Add mozilla_plugin_use_bluejeans boolean
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
This commit is contained in:
parent
686a38099f
commit
a629498afd
@ -3900,7 +3900,7 @@ index f9b25c1..9af1f7a 100644
|
||||
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
|
||||
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
|
||||
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
|
||||
index 07126bd..38ba47d 100644
|
||||
index 07126bd..015bd7a 100644
|
||||
--- a/policy/modules/kernel/corenetwork.if.in
|
||||
+++ b/policy/modules/kernel/corenetwork.if.in
|
||||
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
|
||||
@ -4512,26 +4512,10 @@ index 07126bd..38ba47d 100644
|
||||
## Send and receive TCP network traffic on all reserved ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',`
|
||||
@@ -1772,6 +2144,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Send and receive UDP network traffic on all reserved ports.
|
||||
+## Send and receive UDP network traffic on all reserved ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_udp_sendrecv_all_reserved_ports',`
|
||||
+ corenet_udp_send_all_reserved_ports($1)
|
||||
+ corenet_udp_receive_all_reserved_ports($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Bind DCCP sockets to all reserved ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -4551,19 +4535,15 @@ index 07126bd..38ba47d 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Bind TCP sockets to all reserved ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_bind_all_reserved_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute reserved_port_type;
|
||||
+ ')
|
||||
+
|
||||
## Bind TCP sockets to all reserved ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1785,31 +2176,284 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
|
||||
attribute reserved_port_type;
|
||||
')
|
||||
|
||||
- allow $1 reserved_port_type:tcp_socket name_bind;
|
||||
- allow $1 self:capability net_bind_service;
|
||||
+ allow $1 reserved_port_type:tcp_socket name_bind;
|
||||
+ allow $1 self:capability net_bind_service;
|
||||
+')
|
||||
@ -4679,6 +4659,24 @@ index 07126bd..38ba47d 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Bind TCP sockets to all ports > 1024.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_bind_unreserved_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute unreserved_port_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unreserved_port_t:tcp_socket name_bind;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Bind UDP sockets to all ports > 1024.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -4770,50 +4768,36 @@ index 07126bd..38ba47d 100644
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Connect DCCP sockets to all ports > 1024.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`corenet_udp_sendrecv_all_reserved_ports',`
|
||||
- corenet_udp_send_all_reserved_ports($1)
|
||||
- corenet_udp_receive_all_reserved_ports($1)
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_dccp_connect_all_unreserved_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute unreserved_port_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unreserved_port_type:dccp_socket name_connect;
|
||||
')
|
||||
|
||||
-########################################
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
## <summary>
|
||||
-## Bind TCP sockets to all reserved ports.
|
||||
+## <summary>
|
||||
+## Connect TCP sockets to ports > 1024.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed access.
|
||||
-## </summary>
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`corenet_tcp_bind_all_reserved_ports',`
|
||||
- gen_require(`
|
||||
- attribute reserved_port_type;
|
||||
- ')
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_tcp_connect_unreserved_ports',`
|
||||
+ gen_require(`
|
||||
+ type unreserved_port_t;
|
||||
+ ')
|
||||
|
||||
- allow $1 reserved_port_type:tcp_socket name_bind;
|
||||
- allow $1 self:capability net_bind_service;
|
||||
+
|
||||
+ allow $1 unreserved_port_t:tcp_socket name_connect;
|
||||
')
|
||||
|
||||
@ -4847,7 +4831,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
|
||||
@@ -1817,18 +2461,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -4871,7 +4855,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
|
||||
@@ -1836,35 +2480,36 @@ interface(`corenet_udp_bind_all_reserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -4916,7 +4900,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
|
||||
@@ -1872,17 +2517,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -4938,7 +4922,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
@@ -1890,36 +2535,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -4985,7 +4969,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
|
||||
@@ -1927,54 +2573,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -5055,7 +5039,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
||||
@@ -1982,13 +2628,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -5071,7 +5055,7 @@ index 07126bd..38ba47d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',`
|
||||
@@ -2049,6 +2694,25 @@ interface(`corenet_rw_ppp_dev',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5097,7 +5081,7 @@ index 07126bd..38ba47d 100644
|
||||
## Bind TCP sockets to all RPC ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
|
||||
@@ -2068,6 +2732,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5122,7 +5106,7 @@ index 07126bd..38ba47d 100644
|
||||
## Do not audit attempts to bind TCP sockets to all RPC ports.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',`
|
||||
@@ -2194,6 +2876,25 @@ interface(`corenet_tcp_recv_netlabel',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5148,7 +5132,7 @@ index 07126bd..38ba47d 100644
|
||||
## Receive TCP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
@@ -2213,7 +2914,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5157,7 +5141,7 @@ index 07126bd..38ba47d 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
@@ -2221,10 +2922,15 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -5175,7 +5159,7 @@ index 07126bd..38ba47d 100644
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
# older systems
|
||||
@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
|
||||
@@ -2249,6 +2955,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5202,7 +5186,7 @@ index 07126bd..38ba47d 100644
|
||||
## Do not audit attempts to receive TCP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
||||
@@ -2269,6 +2995,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -5230,7 +5214,7 @@ index 07126bd..38ba47d 100644
|
||||
## Do not audit attempts to receive TCP packets from an unlabeled
|
||||
## connection.
|
||||
## </summary>
|
||||
@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
||||
@@ -2533,15 +3280,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_all_recvfrom_unlabeled',`
|
||||
@ -5250,7 +5234,7 @@ index 07126bd..38ba47d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
|
||||
@@ -2567,11 +3309,34 @@ interface(`corenet_all_recvfrom_unlabeled',`
|
||||
#
|
||||
interface(`corenet_all_recvfrom_netlabel',`
|
||||
gen_require(`
|
||||
@ -5288,7 +5272,7 @@ index 07126bd..38ba47d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',`
|
||||
@@ -2585,6 +3350,7 @@ interface(`corenet_all_recvfrom_netlabel',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
|
||||
@ -5296,7 +5280,7 @@ index 07126bd..38ba47d 100644
|
||||
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
||||
@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
||||
@@ -2613,7 +3379,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
||||
')
|
||||
|
||||
dontaudit $1 netlabel_peer_t:peer recv;
|
||||
@ -5333,7 +5317,7 @@ index 07126bd..38ba47d 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',`
|
||||
@@ -2727,6 +3521,7 @@ interface(`corenet_raw_recvfrom_labeled',`
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_all_recvfrom_labeled',`
|
||||
@ -5341,13 +5325,30 @@ index 07126bd..38ba47d 100644
|
||||
corenet_tcp_recvfrom_labeled($1, $2)
|
||||
corenet_udp_recvfrom_labeled($1, $2)
|
||||
corenet_raw_recvfrom_labeled($1, $2)
|
||||
@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',`
|
||||
@@ -3134,3 +3929,70 @@ interface(`corenet_unconfined',`
|
||||
|
||||
typeattribute $1 corenet_unconfined_type;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Dontaudit bind tcp sockets to defined ports.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`corenet_dontaudit_tcp_bind_all_defined_ports',`
|
||||
+ gen_require(`
|
||||
+ attribute defined_port_type;
|
||||
+ ')
|
||||
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create all network named devices with the correct label
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -34513,10 +34514,38 @@ index 9fe8e01..83acb32 100644
|
||||
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
|
||||
')
|
||||
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
|
||||
index fc28bc3..416ac0f 100644
|
||||
index fc28bc3..faa2281 100644
|
||||
--- a/policy/modules/system/miscfiles.if
|
||||
+++ b/policy/modules/system/miscfiles.if
|
||||
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
|
||||
@@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read all SSL certificates.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`miscfiles_manage_all_certs',`
|
||||
+ gen_require(`
|
||||
+ attribute cert_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 cert_type:dir list_dir_perms;
|
||||
+ manage_files_pattern($1, cert_type, cert_type)
|
||||
+ manage_lnk_files_pattern($1, cert_type, cert_type)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read generic SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -106,6 +127,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -34541,7 +34570,7 @@ index fc28bc3..416ac0f 100644
|
||||
## Manage generic SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -156,6 +174,26 @@ interface(`miscfiles_manage_cert_dirs',`
|
||||
@@ -156,6 +195,26 @@ interface(`miscfiles_manage_cert_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -34568,7 +34597,7 @@ index fc28bc3..416ac0f 100644
|
||||
## Manage SSL certificates.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -434,6 +472,7 @@ interface(`miscfiles_rw_localization',`
|
||||
@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',`
|
||||
files_search_usr($1)
|
||||
allow $1 locale_t:dir list_dir_perms;
|
||||
rw_files_pattern($1, locale_t, locale_t)
|
||||
@ -34576,7 +34605,7 @@ index fc28bc3..416ac0f 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -453,6 +492,7 @@ interface(`miscfiles_relabel_localization',`
|
||||
@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',`
|
||||
|
||||
files_search_usr($1)
|
||||
relabel_files_pattern($1, locale_t, locale_t)
|
||||
@ -34584,7 +34613,7 @@ index fc28bc3..416ac0f 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -470,7 +510,6 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
@ -34592,7 +34621,7 @@ index fc28bc3..416ac0f 100644
|
||||
allow $1 locale_t:file execute;
|
||||
')
|
||||
|
||||
@@ -531,6 +570,10 @@ interface(`miscfiles_read_man_pages',`
|
||||
@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',`
|
||||
allow $1 { man_cache_t man_t }:dir list_dir_perms;
|
||||
read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
@ -34603,7 +34632,7 @@ index fc28bc3..416ac0f 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -554,6 +597,29 @@ interface(`miscfiles_delete_man_pages',`
|
||||
@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',`
|
||||
delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
|
||||
@ -34633,7 +34662,7 @@ index fc28bc3..416ac0f 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -622,6 +688,30 @@ interface(`miscfiles_manage_man_cache',`
|
||||
@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -34664,7 +34693,7 @@ index fc28bc3..416ac0f 100644
|
||||
## Read public files used for file
|
||||
## transfer services.
|
||||
## </summary>
|
||||
@@ -784,8 +874,11 @@ interface(`miscfiles_etc_filetrans_localization',`
|
||||
@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',`
|
||||
type locale_t;
|
||||
')
|
||||
|
||||
@ -34678,7 +34707,7 @@ index fc28bc3..416ac0f 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -809,3 +902,61 @@ interface(`miscfiles_manage_localization',`
|
||||
@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',`
|
||||
manage_lnk_files_pattern($1, locale_t, locale_t)
|
||||
')
|
||||
|
||||
|
@ -11121,7 +11121,7 @@ index 008f8ef..144c074 100644
|
||||
admin_pattern($1, certmonger_var_run_t)
|
||||
')
|
||||
diff --git a/certmonger.te b/certmonger.te
|
||||
index 550b287..ad3330f 100644
|
||||
index 550b287..31b8bd7 100644
|
||||
--- a/certmonger.te
|
||||
+++ b/certmonger.te
|
||||
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
|
||||
@ -11185,17 +11185,17 @@ index 550b287..ad3330f 100644
|
||||
|
||||
fs_search_cgroup_dirs(certmonger_t)
|
||||
|
||||
@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
|
||||
@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t)
|
||||
|
||||
logging_send_syslog_msg(certmonger_t)
|
||||
|
||||
-miscfiles_read_localization(certmonger_t)
|
||||
miscfiles_manage_generic_cert_files(certmonger_t)
|
||||
|
||||
+systemd_exec_systemctl(certmonger_t)
|
||||
-miscfiles_manage_generic_cert_files(certmonger_t)
|
||||
+miscfiles_manage_all_certs(certmonger_t)
|
||||
+
|
||||
+systemd_exec_systemctl(certmonger_t)
|
||||
|
||||
userdom_search_user_home_content(certmonger_t)
|
||||
+userdom_manage_home_certs(certmonger_t)
|
||||
|
||||
optional_policy(`
|
||||
- apache_initrc_domtrans(certmonger_t)
|
||||
@ -11206,7 +11206,7 @@ index 550b287..ad3330f 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -92,11 +108,51 @@ optional_policy(`
|
||||
@@ -92,11 +107,51 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11556,10 +11556,10 @@ index 80a88a2..ec869f5 100644
|
||||
+logging_send_syslog_msg(cgred_t)
|
||||
diff --git a/chrome.fc b/chrome.fc
|
||||
new file mode 100644
|
||||
index 0000000..57866f6
|
||||
index 0000000..d020d89
|
||||
--- /dev/null
|
||||
+++ b/chrome.fc
|
||||
@@ -0,0 +1,9 @@
|
||||
@@ -0,0 +1,10 @@
|
||||
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
|
||||
@ -11568,6 +11568,7 @@ index 0000000..57866f6
|
||||
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
|
||||
+
|
||||
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
||||
+HOME_DIR/\.cache/google-chrome-unstable(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
||||
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
||||
diff --git a/chrome.if b/chrome.if
|
||||
new file mode 100644
|
||||
@ -11713,10 +11714,10 @@ index 0000000..a0fdbcb
|
||||
+')
|
||||
diff --git a/chrome.te b/chrome.te
|
||||
new file mode 100644
|
||||
index 0000000..fb60ffc
|
||||
index 0000000..b4f29e9
|
||||
--- /dev/null
|
||||
+++ b/chrome.te
|
||||
@@ -0,0 +1,248 @@
|
||||
@@ -0,0 +1,249 @@
|
||||
+policy_module(chrome,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -11851,7 +11852,8 @@ index 0000000..fb60ffc
|
||||
+ gnome_read_home_config(chrome_sandbox_t)
|
||||
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
|
||||
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
|
||||
+
|
||||
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome")
|
||||
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable")
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -38624,7 +38626,7 @@ index e88fb16..f20248c 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/keystone.te b/keystone.te
|
||||
index 9929647..0907a30 100644
|
||||
index 9929647..4b6faae 100644
|
||||
--- a/keystone.te
|
||||
+++ b/keystone.te
|
||||
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
||||
@ -38642,12 +38644,15 @@ index 9929647..0907a30 100644
|
||||
|
||||
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
||||
allow keystone_t self:unix_stream_socket { accept listen };
|
||||
@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
||||
@@ -57,20 +61,36 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
||||
corenet_tcp_sendrecv_generic_if(keystone_t)
|
||||
corenet_tcp_sendrecv_generic_node(keystone_t)
|
||||
corenet_tcp_bind_generic_node(keystone_t)
|
||||
+corenet_tcp_connect_mysqld_port(keystone_t)
|
||||
+corenet_tcp_connect_ldap_port(keystone_t)
|
||||
+corenet_tcp_connect_keystone_port(keystone_t)
|
||||
+corenet_tcp_connect_amqp_port(keystone_t)
|
||||
+corenet_tcp_connect_osapi_compute_port(keystone_t)
|
||||
|
||||
corenet_sendrecv_commplex_main_server_packets(keystone_t)
|
||||
corenet_tcp_bind_commplex_main_port(keystone_t)
|
||||
@ -45834,10 +45839,10 @@ index 6194b80..7490fe3 100644
|
||||
')
|
||||
+
|
||||
diff --git a/mozilla.te b/mozilla.te
|
||||
index 11ac8e4..fb431ea 100644
|
||||
index 11ac8e4..ab5b577 100644
|
||||
--- a/mozilla.te
|
||||
+++ b/mozilla.te
|
||||
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
|
||||
@@ -6,17 +6,48 @@ policy_module(mozilla, 2.8.0)
|
||||
#
|
||||
|
||||
## <desc>
|
||||
@ -45868,6 +45873,13 @@ index 11ac8e4..fb431ea 100644
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow mozilla plugin to use Bluejeans.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(mozilla_plugin_use_bluejeans, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow confined web browsers to read home directory content
|
||||
+## </p>
|
||||
+## </desc>
|
||||
@ -45884,7 +45896,7 @@ index 11ac8e4..fb431ea 100644
|
||||
type mozilla_t;
|
||||
type mozilla_exec_t;
|
||||
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
||||
@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||
@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
||||
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
||||
role mozilla_roles types mozilla_t;
|
||||
|
||||
@ -45894,7 +45906,7 @@ index 11ac8e4..fb431ea 100644
|
||||
type mozilla_home_t;
|
||||
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
|
||||
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
|
||||
@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
|
||||
@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
|
||||
|
||||
type mozilla_plugin_t;
|
||||
type mozilla_plugin_exec_t;
|
||||
@ -45928,7 +45940,7 @@ index 11ac8e4..fb431ea 100644
|
||||
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
|
||||
|
||||
type mozilla_tmp_t;
|
||||
@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
|
||||
@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
|
||||
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
|
||||
userdom_user_tmpfs_file(mozilla_tmpfs_t)
|
||||
|
||||
@ -45939,7 +45951,7 @@ index 11ac8e4..fb431ea 100644
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@@ -75,27 +94,30 @@ optional_policy(`
|
||||
@@ -75,27 +101,30 @@ optional_policy(`
|
||||
allow mozilla_t self:capability { sys_nice setgid setuid };
|
||||
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
|
||||
allow mozilla_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -45983,7 +45995,7 @@ index 11ac8e4..fb431ea 100644
|
||||
|
||||
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
||||
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
||||
@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
||||
@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
||||
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
||||
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
@ -46091,7 +46103,7 @@ index 11ac8e4..fb431ea 100644
|
||||
|
||||
term_dontaudit_getattr_pty_dirs(mozilla_t)
|
||||
|
||||
@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
|
||||
@@ -181,56 +203,73 @@ auth_use_nsswitch(mozilla_t)
|
||||
logging_send_syslog_msg(mozilla_t)
|
||||
|
||||
miscfiles_read_fonts(mozilla_t)
|
||||
@ -46099,15 +46111,15 @@ index 11ac8e4..fb431ea 100644
|
||||
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
|
||||
|
||||
-userdom_use_user_ptys(mozilla_t)
|
||||
-
|
||||
+userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-userdom_manage_user_tmp_dirs(mozilla_t)
|
||||
-userdom_manage_user_tmp_files(mozilla_t)
|
||||
-
|
||||
-userdom_manage_user_home_content_dirs(mozilla_t)
|
||||
-userdom_manage_user_home_content_files(mozilla_t)
|
||||
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
|
||||
+userdom_use_inherited_user_ptys(mozilla_t)
|
||||
|
||||
-
|
||||
-userdom_write_user_tmp_sockets(mozilla_t)
|
||||
-
|
||||
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
||||
@ -46202,7 +46214,7 @@ index 11ac8e4..fb431ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -244,19 +276,12 @@ optional_policy(`
|
||||
@@ -244,19 +283,12 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cups_read_rw_config(mozilla_t)
|
||||
@ -46224,7 +46236,7 @@ index 11ac8e4..fb431ea 100644
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(mozilla_t)
|
||||
@@ -265,33 +290,32 @@ optional_policy(`
|
||||
@@ -265,33 +297,32 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
gnome_stream_connect_gconf(mozilla_t)
|
||||
@ -46237,34 +46249,34 @@ index 11ac8e4..fb431ea 100644
|
||||
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
|
||||
+ gnome_manage_config(mozilla_t)
|
||||
+ gnome_manage_gconf_home_files(mozilla_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ java_domtrans(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- java_exec(mozilla_t)
|
||||
- java_manage_generic_home_content(mozilla_t)
|
||||
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
|
||||
+ lpd_domtrans_lpr(mozilla_t)
|
||||
+ java_domtrans(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lpd_run_lpr(mozilla_t, mozilla_roles)
|
||||
+ mplayer_domtrans(mozilla_t)
|
||||
+ mplayer_read_user_home_files(mozilla_t)
|
||||
+ lpd_domtrans_lpr(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- mplayer_exec(mozilla_t)
|
||||
- mplayer_manage_generic_home_content(mozilla_t)
|
||||
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
|
||||
+ nscd_socket_use(mozilla_t)
|
||||
+ mplayer_domtrans(mozilla_t)
|
||||
+ mplayer_read_user_home_files(mozilla_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- pulseaudio_run(mozilla_t, mozilla_roles)
|
||||
+ nscd_socket_use(mozilla_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
||||
+ pulseaudio_exec(mozilla_t)
|
||||
+ pulseaudio_stream_connect(mozilla_t)
|
||||
@ -46272,7 +46284,7 @@ index 11ac8e4..fb431ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -300,259 +324,253 @@ optional_policy(`
|
||||
@@ -300,259 +331,253 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -46356,12 +46368,12 @@ index 11ac8e4..fb431ea 100644
|
||||
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
|
||||
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
|
||||
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
|
||||
-
|
||||
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
||||
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
||||
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
||||
|
||||
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
||||
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
||||
-
|
||||
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
|
||||
+can_exec(mozilla_plugin_t, mozilla_exec_t)
|
||||
|
||||
@ -46539,12 +46551,12 @@ index 11ac8e4..fb431ea 100644
|
||||
|
||||
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
|
||||
-userdom_manage_user_tmp_files(mozilla_plugin_t)
|
||||
-
|
||||
+systemd_read_logind_sessions_files(mozilla_plugin_t)
|
||||
|
||||
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
|
||||
-userdom_manage_user_home_content_files(mozilla_plugin_t)
|
||||
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
|
||||
+systemd_read_logind_sessions_files(mozilla_plugin_t)
|
||||
|
||||
-
|
||||
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
|
||||
+term_getattr_all_ttys(mozilla_plugin_t)
|
||||
+term_getattr_all_ptys(mozilla_plugin_t)
|
||||
@ -46672,7 +46684,7 @@ index 11ac8e4..fb431ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -560,7 +578,11 @@ optional_policy(`
|
||||
@@ -560,7 +585,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -46685,7 +46697,7 @@ index 11ac8e4..fb431ea 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -568,108 +590,131 @@ optional_policy(`
|
||||
@@ -568,108 +597,136 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -46718,19 +46730,17 @@ index 11ac8e4..fb431ea 100644
|
||||
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
|
||||
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
|
||||
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
|
||||
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
|
||||
|
||||
-
|
||||
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
|
||||
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
||||
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
||||
-
|
||||
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
|
||||
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
|
||||
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
-
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
|
||||
@ -46739,20 +46749,22 @@ index 11ac8e4..fb431ea 100644
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
|
||||
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
|
||||
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
|
||||
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
|
||||
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
|
||||
|
||||
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
|
||||
+dev_read_sysfs(mozilla_plugin_config_t)
|
||||
+dev_read_urand(mozilla_plugin_config_t)
|
||||
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
|
||||
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
|
||||
|
||||
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
|
||||
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
|
||||
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
|
||||
+fs_list_inotifyfs(mozilla_plugin_config_t)
|
||||
|
||||
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
|
||||
-
|
||||
-kernel_read_system_state(mozilla_plugin_config_t)
|
||||
-kernel_request_load_module(mozilla_plugin_config_t)
|
||||
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
|
||||
@ -46824,18 +46836,14 @@ index 11ac8e4..fb431ea 100644
|
||||
- allow mozilla_plugin_config_t self:process execmem;
|
||||
+optional_policy(`
|
||||
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
|
||||
')
|
||||
|
||||
-tunable_policy(`mozilla_execstack',`
|
||||
- allow mozilla_plugin_config_t self:process { execmem execstack };
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ xserver_use_user_fonts(mozilla_plugin_config_t)
|
||||
')
|
||||
|
||||
-tunable_policy(`use_nfs_home_dirs',`
|
||||
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
|
||||
- fs_manage_nfs_files(mozilla_plugin_config_t)
|
||||
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
|
||||
-tunable_policy(`mozilla_execstack',`
|
||||
- allow mozilla_plugin_config_t self:process { execmem execstack };
|
||||
+ifdef(`distro_redhat',`
|
||||
+ typealias mozilla_plugin_t alias nsplugin_t;
|
||||
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
|
||||
@ -46846,10 +46854,10 @@ index 11ac8e4..fb431ea 100644
|
||||
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
|
||||
')
|
||||
|
||||
-tunable_policy(`use_samba_home_dirs',`
|
||||
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
|
||||
- fs_manage_cifs_files(mozilla_plugin_config_t)
|
||||
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
|
||||
-tunable_policy(`use_nfs_home_dirs',`
|
||||
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
|
||||
- fs_manage_nfs_files(mozilla_plugin_config_t)
|
||||
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
|
||||
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
|
||||
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
|
||||
+#', `
|
||||
@ -46862,8 +46870,10 @@ index 11ac8e4..fb431ea 100644
|
||||
+ userdom_execmod_user_home_files(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
|
||||
-tunable_policy(`use_samba_home_dirs',`
|
||||
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
|
||||
- fs_manage_cifs_files(mozilla_plugin_config_t)
|
||||
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
|
||||
+tunable_policy(`mozilla_plugin_use_spice',`
|
||||
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
|
||||
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
|
||||
@ -46871,11 +46881,18 @@ index 11ac8e4..fb431ea 100644
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- xserver_use_user_fonts(mozilla_plugin_config_t)
|
||||
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
|
||||
+tunable_policy(`mozilla_plugin_use_gps',`
|
||||
+ fs_manage_dos_dirs(mozilla_plugin_t)
|
||||
+ fs_manage_dos_files(mozilla_plugin_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- xserver_use_user_fonts(mozilla_plugin_config_t)
|
||||
+tunable_policy(`mozilla_plugin_use_bluejeans',`
|
||||
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
|
||||
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
|
||||
')
|
||||
diff --git a/mpd.fc b/mpd.fc
|
||||
index 313ce52..ae93e07 100644
|
||||
--- a/mpd.fc
|
||||
@ -51533,7 +51550,7 @@ index fe1068b..98166ee 100644
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
|
||||
diff --git a/networkmanager.fc b/networkmanager.fc
|
||||
index 94b9734..bb9c83e 100644
|
||||
index 94b9734..448a7e8 100644
|
||||
--- a/networkmanager.fc
|
||||
+++ b/networkmanager.fc
|
||||
@@ -1,44 +1,46 @@
|
||||
@ -51565,7 +51582,7 @@ index 94b9734..bb9c83e 100644
|
||||
|
||||
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
||||
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
+/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
|
||||
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
||||
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
||||
@ -53278,10 +53295,10 @@ index 0000000..28936b4
|
||||
+')
|
||||
diff --git a/nova.te b/nova.te
|
||||
new file mode 100644
|
||||
index 0000000..2c40c73
|
||||
index 0000000..87072c4
|
||||
--- /dev/null
|
||||
+++ b/nova.te
|
||||
@@ -0,0 +1,314 @@
|
||||
@@ -0,0 +1,318 @@
|
||||
+policy_module(nova, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -53353,11 +53370,15 @@ index 0000000..2c40c73
|
||||
+corecmd_exec_shell(nova_domain)
|
||||
+corenet_tcp_connect_mysqld_port(nova_domain)
|
||||
+
|
||||
+auth_read_passwd(nova_domain)
|
||||
+
|
||||
+dev_read_sysfs(nova_domain)
|
||||
+dev_read_urand(nova_domain)
|
||||
+
|
||||
+fs_getattr_xattr_fs(nova_domain)
|
||||
+
|
||||
+init_read_utmp(nova_domain)
|
||||
+
|
||||
+libs_exec_ldconfig(nova_domain)
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -79663,7 +79684,7 @@ index 6dbc905..4b17c93 100644
|
||||
- admin_pattern($1, rhsmcertd_lock_t)
|
||||
')
|
||||
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
||||
index d32e1a2..33ca060 100644
|
||||
index d32e1a2..04fffba 100644
|
||||
--- a/rhsmcertd.te
|
||||
+++ b/rhsmcertd.te
|
||||
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
|
||||
@ -79739,8 +79760,8 @@ index d32e1a2..33ca060 100644
|
||||
-miscfiles_read_generic_certs(rhsmcertd_t)
|
||||
+logging_send_syslog_msg(rhsmcertd_t)
|
||||
+
|
||||
+miscfiles_manage_cert_files(rhsmcertd_t)
|
||||
+miscfiles_manage_cert_dirs(rhsmcertd_t)
|
||||
+miscfiles_manage_generic_cert_files(rhsmcertd_t)
|
||||
+miscfiles_manage_generic_cert_dirs(rhsmcertd_t)
|
||||
|
||||
sysnet_dns_name_resolve(rhsmcertd_t)
|
||||
|
||||
@ -94554,10 +94575,10 @@ index 0000000..6a1f575
|
||||
+')
|
||||
diff --git a/swift.te b/swift.te
|
||||
new file mode 100644
|
||||
index 0000000..7fce837
|
||||
index 0000000..d3fe02a
|
||||
--- /dev/null
|
||||
+++ b/swift.te
|
||||
@@ -0,0 +1,102 @@
|
||||
@@ -0,0 +1,119 @@
|
||||
+policy_module(swift, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -94565,6 +94586,15 @@ index 0000000..7fce837
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Determine whether swift can
|
||||
+## connect to all TCP ports
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(swift_can_network, false)
|
||||
+
|
||||
+
|
||||
+type swift_t;
|
||||
+type swift_exec_t;
|
||||
+init_daemon_domain(swift_t, swift_exec_t)
|
||||
@ -94637,6 +94667,8 @@ index 0000000..7fce837
|
||||
+corenet_tcp_bind_xserver_port(swift_t)
|
||||
+corenet_tcp_bind_http_cache_port(swift_t)
|
||||
+
|
||||
+corenet_tcp_connect_xserver_port(swift_t)
|
||||
+
|
||||
+corecmd_exec_shell(swift_t)
|
||||
+corecmd_exec_bin(swift_t)
|
||||
+
|
||||
@ -94656,6 +94688,12 @@ index 0000000..7fce837
|
||||
+
|
||||
+userdom_dontaudit_search_user_home_dirs(swift_t)
|
||||
+
|
||||
+tunable_policy(`swift_can_network',`
|
||||
+ corenet_sendrecv_all_client_packets(swift_t)
|
||||
+ corenet_tcp_connect_all_ports(swift_t)
|
||||
+ corenet_tcp_sendrecv_all_ports(swift_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ rpm_exec(swift_t)
|
||||
+ rpm_dontaudit_manage_db(swift_t)
|
||||
@ -97037,10 +97075,10 @@ index 0000000..c1fd8b4
|
||||
+')
|
||||
diff --git a/thumb.te b/thumb.te
|
||||
new file mode 100644
|
||||
index 0000000..0e30ce2
|
||||
index 0000000..7f7e7ff
|
||||
--- /dev/null
|
||||
+++ b/thumb.te
|
||||
@@ -0,0 +1,157 @@
|
||||
@@ -0,0 +1,159 @@
|
||||
+policy_module(thumb, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -97111,6 +97149,8 @@ index 0000000..0e30ce2
|
||||
+corecmd_exec_bin(thumb_t)
|
||||
+corecmd_exec_shell(thumb_t)
|
||||
+
|
||||
+corenet_tcp_connect_xserver_port(thumb_t)
|
||||
+
|
||||
+dev_read_sysfs(thumb_t)
|
||||
+dev_read_urand(thumb_t)
|
||||
+dev_dontaudit_rw_dri(thumb_t)
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 57%{?dist}
|
||||
Release: 58%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -588,6 +588,10 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jun 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-58
|
||||
- Add mozilla_plugin_use_bluejeans boolean
|
||||
- Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean
|
||||
|
||||
* Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
|
||||
- Allow staff_t to communicate and run docker
|
||||
- Fix *_ecryptfs_home_dirs booleans
|
||||
|
Loading…
Reference in New Issue
Block a user