- Allow nsplugin to run acroread
This commit is contained in:
parent
987b10f86d
commit
ad50da8a27
|
@ -5079,8 +5079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-12 08:30:42.000000000 -0400
|
||||
@@ -0,0 +1,347 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if 2008-03-14 10:52:23.000000000 -0400
|
||||
@@ -0,0 +1,350 @@
|
||||
+
|
||||
+## <summary>policy for nsplugin</summary>
|
||||
+
|
||||
|
@ -5246,6 +5246,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
|
||||
+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
|
||||
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
||||
+ dontaudit nsplugin_t $2:process ptrace;
|
||||
+
|
||||
|
@ -5430,8 +5433,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
|
||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-10 14:35:49.000000000 -0400
|
||||
@@ -0,0 +1,166 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-14 10:51:39.000000000 -0400
|
||||
@@ -0,0 +1,170 @@
|
||||
+
|
||||
+policy_module(nsplugin,1.0.0)
|
||||
+
|
||||
|
@ -5472,7 +5475,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+# nsplugin local policy
|
||||
+#
|
||||
+allow nsplugin_t self:fifo_file rw_file_perms;
|
||||
+allow nsplugin_t self:process { ptrace getsched };
|
||||
+allow nsplugin_t self:process { ptrace getsched signal_perms };
|
||||
+allow nsplugin_t self:sem create_sem_perms;
|
||||
+allow nsplugin_t self:shm create_shm_perms;
|
||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||
+
|
||||
+tunable_policy(`allow_nsplugin_execmem',`
|
||||
+ allow nsplugin_t self:process { execstack execmem };
|
||||
|
@ -5517,15 +5523,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+
|
||||
+libs_use_ld_so(nsplugin_t)
|
||||
+libs_use_shared_libs(nsplugin_t)
|
||||
+libs_exec_ld_so(nsplugin_t)
|
||||
+
|
||||
+miscfiles_read_localization(nsplugin_t)
|
||||
+miscfiles_read_fonts(nsplugin_t)
|
||||
+miscfiles_manage_home_fonts(nsplugin_t)
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
|
||||
+
|
||||
+userdom_read_user_home_content_files(user, nsplugin_t)
|
||||
+userdom_read_user_tmp_files(user, nsplugin_t)
|
||||
+userdom_write_user_tmp_sockets(user, nsplugin_t)
|
||||
+userdom_dontaudit_append_unpriv_home_content_files(nsplugin_t)
|
||||
+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_read_rw_config(nsplugin_t)
|
||||
|
@ -5554,17 +5567,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
|
|||
+
|
||||
+allow nsplugin_config_t self:capability { sys_nice setuid setgid };
|
||||
+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
|
||||
+allow nsplugin_t self:sem create_sem_perms;
|
||||
+allow nsplugin_t self:shm create_shm_perms;
|
||||
+allow nsplugin_t self:msgq create_msgq_perms;
|
||||
+
|
||||
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
||||
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
|
||||
+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
|
||||
+fs_list_inotifyfs(nsplugin_t)
|
||||
+
|
||||
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
||||
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
||||
|
@ -14423,8 +14430,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
|||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
|
||||
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-03-06 13:11:39.000000000 -0500
|
||||
@@ -0,0 +1,38 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-03-14 10:50:28.000000000 -0400
|
||||
@@ -0,0 +1,39 @@
|
||||
+policy_module(gamin,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
@ -14455,6 +14462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
|
|||
+
|
||||
+fs_list_inotifyfs(gamin_t)
|
||||
+domain_read_all_domains_state(gamin_t)
|
||||
+domain_dontaudit_ptrace_all_domains(gamin_t)
|
||||
+
|
||||
+libs_use_ld_so(gamin_t)
|
||||
+libs_use_shared_libs(gamin_t)
|
||||
|
@ -23745,7 +23753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-12 13:48:02.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-14 11:14:49.000000000 -0400
|
||||
@@ -12,9 +12,15 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
|
@ -24212,7 +24220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -542,25 +543,532 @@
|
||||
@@ -542,26 +543,538 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
|
@ -24703,6 +24711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ gen_require(`
|
||||
+ type xdm_t, xdm_tmp_t;
|
||||
+ type user_xauth_home_t, user_iceauth_home_t, xdm_xserver_t, xdm_xserver_tmpfs_t;
|
||||
+ class dbus all_dbus_perms;
|
||||
+ ')
|
||||
+
|
||||
+ allow $3 self:shm create_shm_perms;
|
||||
|
@ -24742,6 +24751,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ userdom_manage_user_home_content_dirs($1, xdm_t)
|
||||
+ userdom_manage_user_home_content_files($1, xdm_t)
|
||||
+ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file })
|
||||
+ allow $3 xdm_t:dbus send_msg;
|
||||
+ allow xdm_t $3:dbus send_msg;
|
||||
+
|
||||
# Client write xserver shm
|
||||
tunable_policy(`allow_write_xshm',`
|
||||
- allow $2 $1_xserver_t:shm rw_shm_perms;
|
||||
|
@ -24749,9 +24761,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
+ allow $3 xdm_xserver_t:shm rw_shm_perms;
|
||||
+ allow $3 xdm_xserver_tmpfs_t:file rw_file_perms;
|
||||
')
|
||||
+
|
||||
')
|
||||
|
||||
@@ -593,26 +1101,44 @@
|
||||
########################################
|
||||
@@ -593,26 +1106,44 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
|
@ -24803,7 +24817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -638,10 +1164,77 @@
|
||||
@@ -638,10 +1169,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
|
@ -24883,7 +24897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -671,10 +1264,10 @@
|
||||
@@ -671,10 +1269,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
|
@ -24896,7 +24910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -760,7 +1353,7 @@
|
||||
@@ -760,7 +1358,7 @@
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
|
@ -24905,7 +24919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -860,6 +1453,25 @@
|
||||
@@ -860,6 +1458,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
@ -24931,7 +24945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -914,6 +1526,7 @@
|
||||
@@ -914,6 +1531,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
|
@ -24939,7 +24953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -955,6 +1568,24 @@
|
||||
@@ -955,6 +1573,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
@ -24964,7 +24978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -965,15 +1596,47 @@
|
||||
@@ -965,15 +1601,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
|
@ -25013,7 +25027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1123,7 +1786,7 @@
|
||||
@@ -1123,7 +1791,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
|
@ -25022,7 +25036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1312,3 +1975,83 @@
|
||||
@@ -1312,3 +1980,83 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
|
@ -29977,7 +29991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-13 18:42:23.000000000 -0400
|
||||
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-14 10:48:11.000000000 -0400
|
||||
@@ -29,9 +29,14 @@
|
||||
')
|
||||
|
||||
|
|
Loading…
Reference in New Issue