- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod
This commit is contained in:
parent
e25799116a
commit
ab8faf7dcf
@ -2144,10 +2144,10 @@ index 0000000..7fe26f3
|
||||
+')
|
||||
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
|
||||
new file mode 100644
|
||||
index 0000000..4da3d86
|
||||
index 0000000..910a3f4
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/firewallgui.te
|
||||
@@ -0,0 +1,66 @@
|
||||
@@ -0,0 +1,65 @@
|
||||
+policy_module(firewallgui,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -2167,8 +2167,7 @@ index 0000000..4da3d86
|
||||
+# firewallgui local policy
|
||||
+#
|
||||
+
|
||||
+allow firewallgui_t self:capability net_admin;
|
||||
+
|
||||
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
|
||||
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
|
||||
+
|
||||
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
|
||||
@ -7695,7 +7694,7 @@ index aad8c52..0d8458a 100644
|
||||
+ dontaudit $1 domain:socket_class_set { read write };
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||
index 099f57f..d58ef64 100644
|
||||
index 099f57f..5843cad 100644
|
||||
--- a/policy/modules/kernel/domain.te
|
||||
+++ b/policy/modules/kernel/domain.te
|
||||
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
|
||||
@ -7739,21 +7738,24 @@ index 099f57f..d58ef64 100644
|
||||
|
||||
# Use trusted objects in /dev
|
||||
dev_rw_null(domain)
|
||||
@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
|
||||
@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
|
||||
|
||||
# list the root directory
|
||||
files_list_root(domain)
|
||||
|
||||
+# allow all domains to search through default_t directory, since users sometimes
|
||||
+# place labels within these directories. (samba_share_t) for example.
|
||||
+files_search_default(domain)
|
||||
+
|
||||
+# All executables should be able to search the directory they are in
|
||||
+corecmd_search_bin(domain)
|
||||
+
|
||||
+tunable_policy(`domain_kernel_load_modules',`
|
||||
+ kernel_request_load_module(domain)
|
||||
+')
|
||||
+
|
||||
|
||||
tunable_policy(`global_ssp',`
|
||||
# enable reading of urandom for all domains:
|
||||
# this should be enabled when all programs
|
||||
@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
|
||||
@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -7767,7 +7769,7 @@ index 099f57f..d58ef64 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -125,6 +155,8 @@ optional_policy(`
|
||||
@@ -125,6 +158,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
xserver_dontaudit_use_xdm_fds(domain)
|
||||
xserver_dontaudit_rw_xdm_pipes(domain)
|
||||
@ -7776,7 +7778,7 @@ index 099f57f..d58ef64 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||
@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||
allow unconfined_domain_type domain:fd use;
|
||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||
|
||||
@ -7785,7 +7787,7 @@ index 099f57f..d58ef64 100644
|
||||
# Act upon any other process.
|
||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
|
||||
@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
@ -34714,7 +34716,7 @@ index aa6e5a8..42a0efb 100644
|
||||
########################################
|
||||
## <summary>
|
||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||
index 6f1e3c7..39c2bb3 100644
|
||||
index 6f1e3c7..6a160b2 100644
|
||||
--- a/policy/modules/services/xserver.fc
|
||||
+++ b/policy/modules/services/xserver.fc
|
||||
@@ -2,13 +2,23 @@
|
||||
@ -34791,7 +34793,7 @@ index 6f1e3c7..39c2bb3 100644
|
||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||
ifdef(`distro_debian', `
|
||||
@@ -89,17 +98,43 @@ ifdef(`distro_debian', `
|
||||
@@ -89,17 +98,44 @@ ifdef(`distro_debian', `
|
||||
|
||||
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
||||
@ -34806,6 +34808,7 @@ index 6f1e3c7..39c2bb3 100644
|
||||
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||
|
Loading…
Reference in New Issue
Block a user