Allow unconfined_t to transition to alsa_t to make sure labels stay correct

Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge telepath_msn_t tries to read /proc/1/exe Allow smokeping cgi scripts to create /var/lib/smokeping dirs. Allow smbd_t to getquota on multiple file systems
2010-10-03 07:48:01 -04:00 · 2010-10-03 07:48:01 -04:00 · ddd1ccaa93
commit ddd1ccaa93
parent b45aaab97c
12 changed files with 85 additions and 35 deletions
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@ -19,6 +19,32 @@ interface(`alsa_domtrans',`
 	domtrans_pattern($1, alsa_exec_t, alsa_t)
 ')

+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Alsa, and allow the specified role
+##	the Alsa domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_run',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	alsa_domtrans($1)
+	role $2 types alsa_t;
+')
+
 ########################################
 ## <summary>
 ##	Read and write Alsa semaphores.
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -29,7 +29,7 @@ interface(`mozilla_role',`
 	allow mozilla_t $2:process { sigchld signull };
 	allow mozilla_t $2:unix_stream_socket connectto;

-	mozilla_plugin_run(mozilla_t, $2)
+	mozilla_run_plugin(mozilla_t, $2)

 	# Allow the user domain to signal/ps.
 	ps_process_pattern($2, mozilla_t)
@ -138,6 +138,24 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
 	dontaudit $1 mozilla_home_t:file manage_file_perms;
 ')

+########################################
+## <summary>
+##	Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_execute_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	can_exec($1, mozilla_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Execmod mozilla home directory content.
@ -190,6 +208,7 @@ interface(`mozilla_domtrans_plugin',`
 	')

 	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+	allow mozilla_plugin_t $1:process signull;	
 ')


@ -216,8 +235,24 @@ interface(`mozilla_run_plugin',`

 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
+')

-	allow mozilla_plugin_t $1:process signull;	
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the mozilla_plugin domain.
+##	</summary>
+## </param>
+#
+interface(`mozilla_role_plugin',`
+	gen_require(`
+		type mozilla_plugin_t;
+	')
+
+	role $1 types mozilla_plugin_t;
 ')

 ########################################
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -312,6 +312,7 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)

 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@ -365,6 +366,7 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 userdom_stream_connect(mozilla_plugin_t)
 userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)

 userdom_list_user_tmp(mozilla_plugin_t)
 userdom_read_user_tmp_files(mozilla_plugin_t)
@ -408,4 +410,5 @@ optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
 	xserver_use_user_fonts(mozilla_plugin_t)
+	xserver_read_user_iceauth(mozilla_plugin_t)
 ')
--- a/policy/modules/apps/nsplugin.fc
+++ b/policy/modules/apps/nsplugin.fc
@ -1,5 +1,6 @@
 HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)

--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@ -129,6 +129,7 @@ fs_getattr_xattr_fs(nsplugin_t)
 fs_search_auto_mountpoints(nsplugin_t)
 fs_rw_anon_inodefs_files(nsplugin_t)
 fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)

 storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
 storage_dontaudit_getattr_removable_dev(nsplugin_t)
@ -180,6 +181,7 @@ optional_policy(`
 ')

 optional_policy(`
+	mozilla_execute_user_home_files(nsplugin_t)
 	mozilla_read_user_home_files(nsplugin_t)
 	mozilla_write_user_home_files(nsplugin_t)
 ')
@ -225,6 +227,7 @@ allow nsplugin_config_t self:fifo_file rw_file_perms;
 allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;

 dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)

 fs_search_auto_mountpoints(nsplugin_config_t)
 fs_list_inotifyfs(nsplugin_config_t)
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@ -339,7 +339,7 @@ interface(`qemu_spec_domtrans',`
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	The role to allow the PAM domain.
+##	The role to allow the qemu unconfined domain.
 ##	</summary>
 ## </param>
 #
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@ -77,6 +77,8 @@ files_read_usr_files(telepathy_msn_t)

 auth_use_nsswitch(telepathy_msn_t)

+init_read_state(telepathy_msn_t)
+
 libs_exec_ldconfig(telepathy_msn_t)

 logging_send_syslog_msg(telepathy_msn_t)
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@ -20,13 +20,6 @@ gen_tunable(allow_unconfined_nsplugin_transition, false)
 ## </desc>
 gen_tunable(unconfined_mozilla_plugin_transition, false)

-## <desc>
-## <p>
-## Transition unconfined user to telepathy confined domains.
-## </p>
-## </desc>
-gen_tunable(unconfined_telepathy_transition, false)
-
 ## <desc>
 ## <p>
 ## Allow vidio playing tools to tun unconfined
@ -226,6 +219,10 @@ optional_policy(`
 	ada_run(unconfined_t, unconfined_r)
 ')

+optional_policy(`
+	alsa_run(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
 ')
@ -341,8 +338,10 @@ optional_policy(`


 optional_policy(`
+	mozilla_role_plugin(unconfined_r)
+
 	tunable_policy(`unconfined_mozilla_plugin_transition', `
-			mozilla_run_plugin(unconfined_usertype, unconfined_r)
+			mozilla_domtrans_plugin(unconfined_usertype)
 	')
 ')

@ -373,7 +372,7 @@ optional_policy(`
 		qemu_domtrans(unconfined_t)
 	',`
 		qemu_domtrans_unconfined(unconfined_t)
-')
+	')
 ')

 optional_policy(`
@ -404,9 +403,7 @@ optional_policy(`
 ')

 optional_policy(`
-	tunable_policy(`unconfined_telepathy_transition', `
-		   telepathy_dbus_session_role(unconfined_r, unconfined_t)
-	')
+	telepathy_dbus_session_role(unconfined_r, unconfined_t)
 ')

 optional_policy(`
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -765,7 +765,7 @@ optional_policy(`
 ')

 optional_policy(`
-	smokeping_getattr_lib_files(httpd_t)
+	smokeping_read_lib_files(httpd_t)
 ')

 optional_policy(`
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@ -325,6 +325,7 @@ fs_get_xattr_fs_quotas(smbd_t)
 fs_search_auto_mountpoints(smbd_t)
 fs_getattr_rpc_dirs(smbd_t)
 fs_list_inotifyfs(smbd_t)
+fs_get_all_fs_quotas(smbd_t)

 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@ -65,6 +65,7 @@ optional_policy(`

 	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;

+	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)

 	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@ -1430,25 +1430,6 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file read_file_perms;
 ')

-########################################
-## <summary>
-##	Read login records files (/var/log/wtmp).
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_dontaudit_read_login_records',`
-	gen_require(`
-		type wtmp_t;
-	')
-
-	dontaudit $1 wtmp_t:file read_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to read login records