Mozilla patch from Dan Walsh.

2009-12-01 10:30:30 -05:00 · 2009-12-01 10:30:30 -05:00 · b77daab0ed
commit b77daab0ed
parent 36ded4bd36
2 changed files with 54 additions and 2 deletions
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -45,6 +45,12 @@ interface(`mozilla_role',`
 	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
 	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+	mozilla_dbus_chat($2)
+
+	optional_policy(`
+		pulseaudio_role($1, mozilla_t)
+	')
 ')

 ########################################
@ -64,6 +70,7 @@ interface(`mozilla_read_user_home_files',`

 	allow $1 mozilla_home_t:dir list_dir_perms;
 	allow $1 mozilla_home_t:file read_file_perms;
+	allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
 	userdom_search_user_home_dirs($1)
 ')

@ -86,6 +93,43 @@ interface(`mozilla_write_user_home_files',`
 	userdom_search_user_home_dirs($1)
 ')

+########################################
+## <summary>
+##	Dontaudit attempts to read/write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Dontaudit attempts to write mozilla home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+	dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Run mozilla in the mozilla domain.
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -1,5 +1,5 @@

-policy_module(mozilla, 2.1.0)
+policy_module(mozilla, 2.1.1)

 ########################################
 #
@ -59,6 +59,7 @@ manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)

 # Mozpluggerrc
 allow mozilla_t mozilla_conf_t:file read_file_perms;
@ -75,7 +76,7 @@ kernel_read_network_state(mozilla_t)
 kernel_read_system_state(mozilla_t)
 kernel_read_net_sysctls(mozilla_t)

-# Look for plugins 
+# Look for plugins
 corecmd_list_bin(mozilla_t)
 # for bash - old mozilla binary
 corecmd_exec_shell(mozilla_t)
@ -97,6 +98,7 @@ corenet_tcp_connect_http_cache_port(mozilla_t)
 corenet_tcp_connect_ftp_port(mozilla_t)
 corenet_tcp_connect_ipp_port(mozilla_t)
 corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_sendrecv_http_cache_client_packets(mozilla_t)
 corenet_sendrecv_ftp_client_packets(mozilla_t)
@ -114,6 +116,8 @@ dev_read_sound(mozilla_t)
 dev_dontaudit_rw_dri(mozilla_t)
 dev_getattr_sysfs_dirs(mozilla_t)

+domain_dontaudit_read_all_domains_state(mozilla_t)
+
 files_read_etc_runtime_files(mozilla_t)
 files_read_usr_files(mozilla_t)
 files_read_etc_files(mozilla_t)
@ -231,6 +235,10 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(mozilla_t)
 	dbus_session_bus_client(mozilla_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(mozilla_t)
+	')
 ')

 optional_policy(`