- Pull in cleanups from dgrift
- Allow mozilla_plugin_t to execute mozilla_home_t - Allow rpc.quota to do quotamod
This commit is contained in:
Dan Walsh
parent
e25799116a
commit
ab8faf7dcf
@ -2144,10 +2144,10 @@ index 0000000..7fe26f3
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
|
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4da3d86
|
index 0000000..910a3f4
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/apps/firewallgui.te
|
+++ b/policy/modules/apps/firewallgui.te
|
||||||
@@ -0,0 +1,66 @@
|
@@ -0,0 +1,65 @@
|
||||||
+policy_module(firewallgui,1.0.0)
|
+policy_module(firewallgui,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -2167,8 +2167,7 @@ index 0000000..4da3d86
|
|||||||
+# firewallgui local policy
|
+# firewallgui local policy
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
+allow firewallgui_t self:capability net_admin;
|
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
|
||||||
+
|
|
||||||
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
|
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
|
||||||
+
|
+
|
||||||
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
|
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
|
||||||
@ -7695,7 +7694,7 @@ index aad8c52..0d8458a 100644
|
|||||||
+ dontaudit $1 domain:socket_class_set { read write };
|
+ dontaudit $1 domain:socket_class_set { read write };
|
||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||||||
index 099f57f..d58ef64 100644
|
index 099f57f..5843cad 100644
|
||||||
--- a/policy/modules/kernel/domain.te
|
--- a/policy/modules/kernel/domain.te
|
||||||
+++ b/policy/modules/kernel/domain.te
|
+++ b/policy/modules/kernel/domain.te
|
||||||
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
|
@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
|
||||||
@ -7739,21 +7738,24 @@ index 099f57f..d58ef64 100644
|
|||||||
|
|
||||||
# Use trusted objects in /dev
|
# Use trusted objects in /dev
|
||||||
dev_rw_null(domain)
|
dev_rw_null(domain)
|
||||||
@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
|
@@ -103,6 +121,16 @@ term_use_controlling_term(domain)
|
||||||
|
|
||||||
# list the root directory
|
# list the root directory
|
||||||
files_list_root(domain)
|
files_list_root(domain)
|
||||||
|
+# allow all domains to search through default_t directory, since users sometimes
|
||||||
|
+# place labels within these directories. (samba_share_t) for example.
|
||||||
|
+files_search_default(domain)
|
||||||
|
+
|
||||||
+# All executables should be able to search the directory they are in
|
+# All executables should be able to search the directory they are in
|
||||||
+corecmd_search_bin(domain)
|
+corecmd_search_bin(domain)
|
||||||
+
|
+
|
||||||
+tunable_policy(`domain_kernel_load_modules',`
|
+tunable_policy(`domain_kernel_load_modules',`
|
||||||
+ kernel_request_load_module(domain)
|
+ kernel_request_load_module(domain)
|
||||||
+')
|
+')
|
||||||
+
|
|
||||||
tunable_policy(`global_ssp',`
|
tunable_policy(`global_ssp',`
|
||||||
# enable reading of urandom for all domains:
|
# enable reading of urandom for all domains:
|
||||||
# this should be enabled when all programs
|
@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',`
|
||||||
@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -7767,7 +7769,7 @@ index 099f57f..d58ef64 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -125,6 +155,8 @@ optional_policy(`
|
@@ -125,6 +158,8 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
xserver_dontaudit_use_xdm_fds(domain)
|
xserver_dontaudit_use_xdm_fds(domain)
|
||||||
xserver_dontaudit_rw_xdm_pipes(domain)
|
xserver_dontaudit_rw_xdm_pipes(domain)
|
||||||
@ -7776,7 +7778,7 @@ index 099f57f..d58ef64 100644
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
@@ -143,6 +178,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
|
||||||
allow unconfined_domain_type domain:fd use;
|
allow unconfined_domain_type domain:fd use;
|
||||||
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
allow unconfined_domain_type domain:fifo_file rw_file_perms;
|
||||||
|
|
||||||
@ -7785,7 +7787,7 @@ index 099f57f..d58ef64 100644
|
|||||||
# Act upon any other process.
|
# Act upon any other process.
|
||||||
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
||||||
|
|
||||||
@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
|
@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
|
||||||
|
|
||||||
# receive from all domains over labeled networking
|
# receive from all domains over labeled networking
|
||||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||||
@ -34714,7 +34716,7 @@ index aa6e5a8..42a0efb 100644
|
|||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
|
||||||
index 6f1e3c7..39c2bb3 100644
|
index 6f1e3c7..6a160b2 100644
|
||||||
--- a/policy/modules/services/xserver.fc
|
--- a/policy/modules/services/xserver.fc
|
||||||
+++ b/policy/modules/services/xserver.fc
|
+++ b/policy/modules/services/xserver.fc
|
||||||
@@ -2,13 +2,23 @@
|
@@ -2,13 +2,23 @@
|
||||||
@ -34791,7 +34793,7 @@ index 6f1e3c7..39c2bb3 100644
|
|||||||
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
|
||||||
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
@@ -89,17 +98,43 @@ ifdef(`distro_debian', `
|
@@ -89,17 +98,44 @@ ifdef(`distro_debian', `
|
||||||
|
|
||||||
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|
||||||
@ -34806,6 +34808,7 @@ index 6f1e3c7..39c2bb3 100644
|
|||||||
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
|
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
|
||||||
|
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||||
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
|
||||||
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user