- Allow nsplugin to run acroread

policy-20071130.patch

@@ -5433,8 +5433,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-14 10:51:39.000000000 -0400
-@@ -0,0 +1,170 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-03-14 11:50:19.000000000 -0400
+@@ -0,0 +1,176 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -5475,10 +5475,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +# nsplugin local policy
 +#
 +allow nsplugin_t self:fifo_file rw_file_perms;
-+allow nsplugin_t self:process { ptrace getsched signal_perms };
++allow nsplugin_t self:process { ptrace getsched setsched signal_perms };
++
 +allow nsplugin_t self:sem create_sem_perms;
 +allow nsplugin_t self:shm create_shm_perms;
 +allow nsplugin_t self:msgq create_msgq_perms;
++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +
 +tunable_policy(`allow_nsplugin_execmem',`
 +        allow nsplugin_t self:process { execstack execmem };
@@ -5529,10 +5531,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +miscfiles_read_fonts(nsplugin_t)
 +miscfiles_manage_home_fonts(nsplugin_t)
 +
-+manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
-+files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
++#manage_dirs_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++#manage_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++#manage_sock_files_pattern(nsplugin_t, nsplugin_tmp_t, nsplugin_tmp_t)
++#files_tmp_filetrans(nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
++#userdom_user_tmp_filetrans(user, nsplugin_t, nsplugin_tmp_t, { file dir sock_file })
++
++userdom_manage_user_tmp_dirs(user,nsplugin_t)
++userdom_manage_user_tmp_files(user,nsplugin_t)
++userdom_manage_user_tmp_sockets(user,nsplugin_t)
++userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file })
++userdom_read_user_tmpfs_files(user,nsplugin_t)
 +
 +userdom_read_user_home_content_files(user, nsplugin_t)
 +userdom_read_user_tmp_files(user, nsplugin_t)
@@ -5571,7 +5580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
-+fs_list_inotifyfs(nsplugin_t)
++fs_list_inotifyfs(nsplugin_config_t)
 +
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -5602,9 +5611,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +userdom_search_all_users_home_content(nsplugin_config_t)
 +
 +nsplugin_domtrans(nsplugin_config_t)
-+
-+allow nsplugin_t user_home_t:dir { write read };
-+allow nsplugin_t user_home_t:file write;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.3.1/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/apps/openoffice.fc	2008-03-13 18:18:07.000000000 -0400

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Mar 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-19
+- Allow nsplugin to run acroread
+
 * Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-18
 - Add cups_pdf policy
 - Add openoffice policy to run in xguest