Fix sandbox tcp_socket calls to create_stream_socket_perms
Dontaudit sandbox_xserver_t trying to get the kernel to load modules telepathy_msn sends dbus messages to networkmanager mailman_t trys to read /root/.config xserver tries to getpgid on processes that start it. pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories
This commit is contained in:
Dan Walsh
parent
4fccad906d
commit
c6fa935fd5
@ -45,6 +45,8 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs
|
||||
manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
||||
fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_dontaudit_request_load_module(sandbox_xserver_t)
|
||||
|
||||
corecmd_exec_bin(sandbox_xserver_t)
|
||||
corecmd_exec_shell(sandbox_xserver_t)
|
||||
|
||||
@ -238,7 +240,7 @@ userdom_use_user_ptys(sandbox_x_t)
|
||||
#
|
||||
# sandbox_x_client_t local policy
|
||||
#
|
||||
allow sandbox_x_client_t self:tcp_socket create_socket_perms;
|
||||
allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
|
||||
allow sandbox_x_client_t self:udp_socket create_socket_perms;
|
||||
allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
|
||||
allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
|
||||
@ -272,7 +274,7 @@ allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
|
||||
allow sandbox_web_type self:process setsched;
|
||||
dontaudit sandbox_web_type self:process setrlimit;
|
||||
|
||||
allow sandbox_web_type self:tcp_socket create_socket_perms;
|
||||
allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
|
||||
allow sandbox_web_type self:udp_socket create_socket_perms;
|
||||
allow sandbox_web_type self:dbus { acquire_svc send_msg };
|
||||
allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
@ -80,6 +80,9 @@ sysnet_read_config(telepathy_msn_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(telepathy_msn_t)
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(telepathy_msn_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -239,6 +239,7 @@ files_read_etc_files(devicekit_power_t)
|
||||
files_read_usr_files(devicekit_power_t)
|
||||
|
||||
fs_list_inotifyfs(devicekit_power_t)
|
||||
fs_getattr_all_fs(devicekit_power_t)
|
||||
|
||||
term_use_all_terms(devicekit_power_t)
|
||||
|
||||
|
||||
@ -80,6 +80,10 @@ optional_policy(`
|
||||
courier_read_spool(mailman_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_dontaudit_search_config(mailman_mail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cron_read_pipes(mailman_mail_t)
|
||||
')
|
||||
|
||||
@ -1164,6 +1164,8 @@ interface(`xserver_domtrans',`
|
||||
|
||||
allow $1 xserver_t:process siginh;
|
||||
domtrans_pattern($1, xserver_exec_t, xserver_t)
|
||||
|
||||
allow xserver_t $1:process getpgid;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -113,6 +113,7 @@ interface(`auth_login_pgm_domain',`
|
||||
userdom_manage_all_users_keys($1)
|
||||
|
||||
files_list_var_lib($1)
|
||||
manage_dirs_pattern($1, var_auth_t, var_auth_t)
|
||||
manage_files_pattern($1, var_auth_t, var_auth_t)
|
||||
|
||||
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user