From ddd1ccaa9394dbe6b407192d892c9d461caa4c08 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sun, 3 Oct 2010 07:48:01 -0400
Subject: [PATCH] Allow unconfined_t to transition to alsa_t to make sure
 labels stay correct Lots of fixes for mozilla_plugin nsplugin and
 mozilla_plugin are starting to merge telepath_msn_t tries to read /proc/1/exe
 Allow smokeping cgi scripts to create /var/lib/smokeping dirs. Allow smbd_t
 to getquota on multiple file systems

---
 policy/modules/admin/alsa.if           | 26 +++++++++++++++++
 policy/modules/apps/mozilla.if         | 39 ++++++++++++++++++++++++--
 policy/modules/apps/mozilla.te         |  3 ++
 policy/modules/apps/nsplugin.fc        |  1 +
 policy/modules/apps/nsplugin.te        |  3 ++
 policy/modules/apps/qemu.if            |  2 +-
 policy/modules/apps/telepathy.te       |  2 ++
 policy/modules/roles/unconfineduser.te | 21 ++++++--------
 policy/modules/services/apache.te      |  2 +-
 policy/modules/services/samba.te       |  1 +
 policy/modules/services/smokeping.te   |  1 +
 policy/modules/system/authlogin.if     | 19 -------------
 12 files changed, 85 insertions(+), 35 deletions(-)

diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa7428..20d51d08 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -19,6 +19,32 @@ interface(`alsa_domtrans',`
 	domtrans_pattern($1, alsa_exec_t, alsa_t)
 ')
 
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Alsa, and allow the specified role
+##	the Alsa domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_run',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	alsa_domtrans($1)
+	role $2 types alsa_t;
+')
+
 ########################################
 ## <summary>
 ##	Read and write Alsa semaphores.
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 47aa143f..dfac7cc2 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,7 +29,7 @@ interface(`mozilla_role',`
 	allow mozilla_t $2:process { sigchld signull };
 	allow mozilla_t $2:unix_stream_socket connectto;
 
-	mozilla_plugin_run(mozilla_t, $2)
+	mozilla_run_plugin(mozilla_t, $2)
 
 	# Allow the user domain to signal/ps.
 	ps_process_pattern($2, mozilla_t)
@@ -138,6 +138,24 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
 	dontaudit $1 mozilla_home_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mozilla_execute_user_home_files',`
+	gen_require(`
+		type mozilla_home_t;
+	')
+
+	can_exec($1, mozilla_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Execmod mozilla home directory content.
@@ -190,6 +208,7 @@ interface(`mozilla_domtrans_plugin',`
 	')
 
 	domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+	allow mozilla_plugin_t $1:process signull;	
 ')
 
 
@@ -216,8 +235,24 @@ interface(`mozilla_run_plugin',`
 
 	mozilla_domtrans_plugin($1)
 	role $2 types mozilla_plugin_t;
+')
 
-	allow mozilla_plugin_t $1:process signull;	
+########################################
+## <summary>
+##	Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to allow the mozilla_plugin domain.
+##	</summary>
+## </param>
+#
+interface(`mozilla_role_plugin',`
+	gen_require(`
+		type mozilla_plugin_t;
+	')
+
+	role $1 types mozilla_plugin_t;
 ')
 
 ########################################
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 70d899d8..cc87b60b 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -312,6 +312,7 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
 
 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
 manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -365,6 +366,7 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t)
 userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 userdom_stream_connect(mozilla_plugin_t)
 userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
 
 userdom_list_user_tmp(mozilla_plugin_t)
 userdom_read_user_tmp_files(mozilla_plugin_t)
@@ -408,4 +410,5 @@ optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
 	xserver_use_user_fonts(mozilla_plugin_t)
+	xserver_read_user_iceauth(mozilla_plugin_t)
 ')
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
index 63abc5cb..717eb3f1 100644
--- a/policy/modules/apps/nsplugin.fc
+++ b/policy/modules/apps/nsplugin.fc
@@ -1,5 +1,6 @@
 HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
 HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
 
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
index 4e8a49e2..1ca0e76e 100644
--- a/policy/modules/apps/nsplugin.te
+++ b/policy/modules/apps/nsplugin.te
@@ -129,6 +129,7 @@ fs_getattr_xattr_fs(nsplugin_t)
 fs_search_auto_mountpoints(nsplugin_t)
 fs_rw_anon_inodefs_files(nsplugin_t)
 fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
 
 storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
 storage_dontaudit_getattr_removable_dev(nsplugin_t)
@@ -180,6 +181,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mozilla_execute_user_home_files(nsplugin_t)
 	mozilla_read_user_home_files(nsplugin_t)
 	mozilla_write_user_home_files(nsplugin_t)
 ')
@@ -225,6 +227,7 @@ allow nsplugin_config_t self:fifo_file rw_file_perms;
 allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 
 dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
 
 fs_search_auto_mountpoints(nsplugin_config_t)
 fs_list_inotifyfs(nsplugin_config_t)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 8d8d9612..f4e15721 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -339,7 +339,7 @@ interface(`qemu_spec_domtrans',`
 ## </summary>
 ## <param name="role">
 ##	<summary>
-##	The role to allow the PAM domain.
+##	The role to allow the qemu unconfined domain.
 ##	</summary>
 ## </param>
 #
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 34a2b483..0b28cf89 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -77,6 +77,8 @@ files_read_usr_files(telepathy_msn_t)
 
 auth_use_nsswitch(telepathy_msn_t)
 
+init_read_state(telepathy_msn_t)
+
 libs_exec_ldconfig(telepathy_msn_t)
 
 logging_send_syslog_msg(telepathy_msn_t)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 0e47a85b..31bbe957 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -20,13 +20,6 @@ gen_tunable(allow_unconfined_nsplugin_transition, false)
 ## </desc>
 gen_tunable(unconfined_mozilla_plugin_transition, false)
 
-## <desc>
-## <p>
-## Transition unconfined user to telepathy confined domains.
-## </p>
-## </desc>
-gen_tunable(unconfined_telepathy_transition, false)
-
 ## <desc>
 ## <p>
 ## Allow vidio playing tools to tun unconfined
@@ -226,6 +219,10 @@ optional_policy(`
 	ada_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	alsa_run(unconfined_t, unconfined_r)
+')
+
 optional_policy(`
 	apache_run_helper(unconfined_t, unconfined_r)
 ')
@@ -341,8 +338,10 @@ optional_policy(`
 
 
 optional_policy(`
+	mozilla_role_plugin(unconfined_r)
+
 	tunable_policy(`unconfined_mozilla_plugin_transition', `
-			mozilla_run_plugin(unconfined_usertype, unconfined_r)
+			mozilla_domtrans_plugin(unconfined_usertype)
 	')
 ')
 
@@ -373,7 +372,7 @@ optional_policy(`
 		qemu_domtrans(unconfined_t)
 	',`
 		qemu_domtrans_unconfined(unconfined_t)
-')
+	')
 ')
 
 optional_policy(`
@@ -404,9 +403,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	tunable_policy(`unconfined_telepathy_transition', `
-		   telepathy_dbus_session_role(unconfined_r, unconfined_t)
-	')
+	telepathy_dbus_session_role(unconfined_r, unconfined_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 300dffb6..411a3ff9 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -765,7 +765,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	smokeping_getattr_lib_files(httpd_t)
+	smokeping_read_lib_files(httpd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e4334a63..8e36be0c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -325,6 +325,7 @@ fs_get_xattr_fs_quotas(smbd_t)
 fs_search_auto_mountpoints(smbd_t)
 fs_getattr_rpc_dirs(smbd_t)
 fs_list_inotifyfs(smbd_t)
+fs_get_all_fs_quotas(smbd_t)
 
 auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 058bfc91..247beaf1 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -65,6 +65,7 @@ optional_policy(`
 
 	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
 
+	manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
 
 	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 149e383c..c411b5ed 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1430,25 +1430,6 @@ interface(`auth_read_login_records',`
 	allow $1 wtmp_t:file read_file_perms;
 ')
 
-########################################
-## <summary>
-##	Read login records files (/var/log/wtmp).
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_dontaudit_read_login_records',`
-	gen_require(`
-		type wtmp_t;
-	')
-
-	dontaudit $1 wtmp_t:file read_file_perms;
-')
-
 ########################################
 ## <summary>
 ##	Do not audit attempts to read login records