From dfe675b8f7b26efcd882e7af121ef3036524c266 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 8 Sep 2010 12:06:20 -0400
Subject: [PATCH] Mozilla_plugin needs to getattr on tmpfs and no longer needs
 to write to tmpfs_t cleanup of nsplugin interface definition Latest pm-utils
 is causing lots of domains to see a leaked lock file I want mplayer to run as
 unconfined_execmem_t mountpoint is causing dbus and init apps to getattr on
 all filesystems directories Miroslav update dkim-milter NetworkManager dbus
 chats with init Allow apps that can read user_fonts_t to read the symbolic
 link udev needs to manage etc_t

---
 policy/modules/apps/execmem.fc            |  1 -
 policy/modules/apps/mozilla.te            |  4 +---
 policy/modules/apps/nsplugin.if           | 13 +-----------
 policy/modules/kernel/domain.te           |  4 ++++
 policy/modules/roles/unconfineduser.te    | 13 ++++++++++++
 policy/modules/services/dbus.if           |  2 +-
 policy/modules/services/milter.fc         |  4 ++++
 policy/modules/services/milter.if         | 19 ++++++++++++++++++
 policy/modules/services/milter.te         | 24 +++++++++++++++++++++++
 policy/modules/services/networkmanager.te |  2 ++
 policy/modules/services/xserver.if        |  3 +++
 policy/modules/system/init.te             |  1 +
 policy/modules/system/libraries.te        |  3 ++-
 policy/modules/system/udev.te             |  4 +++-
 14 files changed, 78 insertions(+), 19 deletions(-)

diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
index e049042e..9bd4f454 100644
--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
@@ -10,7 +10,6 @@
 /usr/bin/runhaskell	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/sbcl	     	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/skype		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-/usr/bin/vlc		--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/bin/valgrind	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/sbin/vboxadd-service 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 /usr/sbin/VBox.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 04f51963..58899ca4 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -332,8 +332,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
 files_read_config_files(mozilla_plugin_t)
 files_read_usr_files(mozilla_plugin_t)
 
-# Would like to get rid of this but needed to talk to mislabeled tmpfs
-fs_rw_tmpfs_files(mozilla_plugin_t)
+fs_getattr_tmpfs(mozilla_plugin_t)
 
 miscfiles_read_localization(mozilla_plugin_t)
 miscfiles_read_fonts(mozilla_plugin_t)
@@ -367,4 +366,3 @@ optional_policy(`
 	xserver_read_xdm_pid(mozilla_plugin_t)
 	xserver_stream_connect(mozilla_plugin_t)
 ')
-
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
index acab1e72..4dd9d05a 100644
--- a/policy/modules/apps/nsplugin.if
+++ b/policy/modules/apps/nsplugin.if
@@ -45,27 +45,16 @@ interface(`nsplugin_manage_rw',`
 ## <summary>
 ##	The per role template for the nsplugin module.
 ## </summary>
-## <desc>
-##	<p>
-##	This template creates a derived domains which are used
-##	for nsplugin web browser.
-##	</p>
-##	<p>
-##	This template is invoked automatically for each user, and
-##	generally does not need to be invoked directly
-##	by policy writers.
-##	</p>
-## </desc>
 ## <param name="user_role">
 ##	<summary>
 ##	The role associated with the user domain.
 ##	</summary>
+## </param>
 ## <param name="user_domain">
 ##	<summary>
 ##	The type of the user domain.
 ##	</summary>
 ## </param>
-## </param>
 #
 interface(`nsplugin_role_notrans',`
 	gen_require(`
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ae622110..d58ef64a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -251,6 +251,10 @@ ifdef(`hide_broken_symptoms',`
 	allow domain domain:key { link search };
 ')
 
+optional_policy(`
+	hal_dontaudit_read_pid_files(domain)
+')
+
 optional_policy(`
 	ifdef(`hide_broken_symptoms',`
 		afs_rw_udp_sockets(domain)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 177e89c7..799db362 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -13,6 +13,13 @@ attribute unconfined_login_domain;
 ## </desc>
 gen_tunable(allow_unconfined_nsplugin_transition, false)
 
+## <desc>
+## <p>
+## Allow vidio playing tools to tun unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
+
 ## <desc>
 ## <p>
 ## Allow a user to login as an unconfined domain
@@ -435,6 +442,12 @@ optional_policy(`
 		')
 	')
 
+	optional_policy(`
+		tunable_policy(`unconfined_login',`
+			mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+		')
+	')
+
 	optional_policy(`
 		openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
 	')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 4ab36ba6..e385f2f1 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -442,7 +442,7 @@ interface(`dbus_system_domain',`
 
 	domtrans_pattern(system_dbusd_t, $2, $1)
 
-	fs_search_cgroup_dirs($1)
+	fs_search_all($1)
 
 	dbus_system_bus_client($1)
 	dbus_connect_system_bus($1)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f8..613c69d5 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -1,3 +1,6 @@
+/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
@@ -5,6 +8,7 @@
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
 
+/var/run/dkim-milter(/.*)?              gen_context(system_u:object_r:dkim_milter_data_t,s0)
 /var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index 96cba913..a000225c 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -120,3 +120,22 @@ interface(`milter_manage_spamass_state',`
 	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
 ')
+
+#######################################
+## <summary>
+##      Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+        gen_require(`
+                type dkim_milter_data_t;
+        ')
+
+        files_search_pids($1)
+        delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 1b6dea0e..6ba48ffe 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
 attribute milter_domains;
 attribute milter_data_type;
 
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
 # currently-supported milters are milter-greylist, milter-regex and spamass-milter
 milter_template(greylist)
 milter_template(regex)
@@ -20,6 +27,23 @@ milter_template(spamass)
 type spamass_milter_state_t;
 files_type(spamass_milter_state_t)
 
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
+
 ########################################
 #
 # milter-greylist local policy
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 96772367..45ecee3d 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -189,6 +189,8 @@ optional_policy(`
 optional_policy(`
 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
 
+	init_dbus_chat(NetworkManager_t)
+
 	optional_policy(`
 		consolekit_dbus_chat(NetworkManager_t)
 	')
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0515e6a9..4bc9fff5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -38,6 +38,7 @@ interface(`xserver_restricted_role',`
 
 	allow $2 user_fonts_t:dir list_dir_perms;
 	allow $2 user_fonts_t:file read_file_perms;
+	allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
 
 	allow $2 user_fonts_config_t:dir list_dir_perms;
 	allow $2 user_fonts_config_t:file read_file_perms;
@@ -164,6 +165,7 @@ interface(`xserver_role',`
 	mls_xwin_read_to_clearance($2)
 	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	manage_files_pattern($2, user_fonts_t, user_fonts_t)
+	allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
 	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
 
@@ -551,6 +553,7 @@ interface(`xserver_use_user_fonts',`
 	# Read per user fonts
 	allow $1 user_fonts_t:dir list_dir_perms;
 	allow $1 user_fonts_t:file read_file_perms;
+	allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
 
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9f9b812a..a80b4c71 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -882,6 +882,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+        milter_delete_dkim_pid_files(initrc_t)
 	milter_setattr_all_dirs(initrc_t)
 ')
 
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 561a8490..99d7f60f 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -153,4 +153,5 @@ optional_policy(`
 
 optional_policy(`
 	unconfined_domain(ldconfig_t)
-')'
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f99fdcbe..9f316caf 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -112,7 +112,9 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
 files_exec_etc_files(udev_t)
 files_dontaudit_search_isid_type_dirs(udev_t)
 files_getattr_generic_locks(udev_t)