- Allow nsplugin to run acroread

2008-03-14 15:17:23 +00:00 · 2008-03-14 15:17:23 +00:00 · ad50da8a27
parent 987b10f86d
commit ad50da8a27
1 changed files with 41 additions and 27 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -5079,8 +5079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-12 08:30:42.000000000 -0400
-@@ -0,0 +1,347 @@
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-14 10:52:23.000000000 -0400
+@@ -0,0 +1,350 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -5246,6 +5246,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
 +	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
 +	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
+	dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
 +
@ -5430,8 +5433,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-10 14:35:49.000000000 -0400
-@@ -0,0 +1,166 @@
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-14 10:51:39.000000000 -0400
+@@ -0,0 +1,170 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@ -5472,7 +5475,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +# nsplugin local policy
 +#
 +allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process { ptrace getsched };
+allow nsplugin_t self:process { ptrace getsched signal_perms };
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
 +
 +tunable_policy(`allow_nsplugin_execmem',`
 +        allow nsplugin_t self:process { execstack execmem };
@ -5517,15 +5523,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +libs_use_ld_so(nsplugin_t)
 +libs_use_shared_libs(nsplugin_t)
+libs_exec_ld_so(nsplugin_t)
 +
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
 +miscfiles_manage_home_fonts(nsplugin_t)
 +
+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
+
 +userdom_read_user_home_content_files(user, nsplugin_t)
 +userdom_read_user_tmp_files(user, nsplugin_t)
 +userdom_write_user_tmp_sockets(user, nsplugin_t)
 +userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config(nsplugin_t)
@ -5554,17 +5567,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
 +allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
-+allow nsplugin_t self:sem create_sem_perms;
-+allow nsplugin_t self:shm create_shm_perms;
-+allow nsplugin_t self:msgq create_msgq_perms;
 +
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
-+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
+fs_list_inotifyfs(nsplugin_t)
 +
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@ -14423,8 +14430,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
 --- nsaserefpolicy/policy/modules/services/gamin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-03-06 13:11:39.000000000 -0500
-@@ -0,0 +1,38 @@
+++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-03-14 10:50:28.000000000 -0400
+@@ -0,0 +1,39 @@
 +policy_module(gamin,1.0.0)
 +
 +########################################
@ -14455,6 +14462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +
 +fs_list_inotifyfs(gamin_t)
 +domain_read_all_domains_state(gamin_t)
+domain_dontaudit_ptrace_all_domains(gamin_t)
 +
 +libs_use_ld_so(gamin_t)
 +libs_use_shared_libs(gamin_t)
@ -23745,7 +23753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-12 13:48:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-14 11:14:49.000000000 -0400
@@ -12,9 +12,15 @@
 ##	</summary>
 ## </param>
@ -24212,7 +24220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -542,25 +543,532 @@
+@@ -542,26 +543,538 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
 
@ -24703,6 +24711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	gen_require(`
 +		type xdm_t, xdm_tmp_t;
 +		type user_xauth_home_t, user_iceauth_home_t, xdm_xserver_t, xdm_xserver_tmpfs_t;
+		class dbus all_dbus_perms;
 +	')
 +
 +	allow $3 self:shm create_shm_perms;
@ -24742,6 +24751,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	userdom_manage_user_home_content_dirs($1, xdm_t)
 +	userdom_manage_user_home_content_files($1, xdm_t)
 +	userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
+	allow $3 xdm_t:dbus send_msg;
+	allow xdm_t $3:dbus send_msg;
+
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 -		allow $2 $1_xserver_t:shm rw_shm_perms;
@ -24749,9 +24761,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		allow $3 xdm_xserver_t:shm rw_shm_perms;
 +		allow $3 xdm_xserver_tmpfs_t:file rw_file_perms;
 	')
+
 ')
 
-@@ -593,26 +1101,44 @@
+ ########################################
+@@ -593,26 +1106,44 @@
 #
 template(`xserver_use_user_fonts',`
 	gen_require(`
@ -24803,7 +24817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -638,10 +1164,77 @@
+@@ -638,10 +1169,77 @@
 #
 template(`xserver_domtrans_user_xauth',`
 	gen_require(`
@ -24883,7 +24897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -671,10 +1264,10 @@
+@@ -671,10 +1269,10 @@
 #
 template(`xserver_user_home_dir_filetrans_user_xauth',`
 	gen_require(`
@ -24896,7 +24910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -760,7 +1353,7 @@
+@@ -760,7 +1358,7 @@
 		type xconsole_device_t;
 	')
 
@ -24905,7 +24919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -860,6 +1453,25 @@
+@@ -860,6 +1458,25 @@
 
 ########################################
 ## <summary>
@ -24931,7 +24945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Read xdm-writable configuration files.
 ## </summary>
 ## <param name="domain">
-@@ -914,6 +1526,7 @@
+@@ -914,6 +1531,7 @@
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -24939,7 +24953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -955,6 +1568,24 @@
+@@ -955,6 +1573,24 @@
 
 ########################################
 ## <summary>
@ -24964,7 +24978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Execute the X server in the XDM X server domain.
 ## </summary>
 ## <param name="domain">
-@@ -965,15 +1596,47 @@
+@@ -965,15 +1601,47 @@
 #
 interface(`xserver_domtrans_xdm_xserver',`
 	gen_require(`
@ -25013,7 +25027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1123,7 +1786,7 @@
+@@ -1123,7 +1791,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
@ -25022,7 +25036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -1312,3 +1975,83 @@
+@@ -1312,3 +1980,83 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -29977,7 +29991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-13 18:42:23.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-14 10:48:11.000000000 -0400
@@ -29,9 +29,14 @@
 	')