Mozilla_plugin needs to getattr on tmpfs and no longer needs to write to tmpfs_t
cleanup of nsplugin interface definition Latest pm-utils is causing lots of domains to see a leaked lock file I want mplayer to run as unconfined_execmem_t mountpoint is causing dbus and init apps to getattr on all filesystems directories Miroslav update dkim-milter NetworkManager dbus chats with init Allow apps that can read user_fonts_t to read the symbolic link udev needs to manage etc_t
This commit is contained in:
Dan Walsh
parent
5dd0c28461
commit
dfe675b8f7
@ -10,7 +10,6 @@
|
|||||||
/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
/usr/bin/vlc -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
|
||||||
/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
|
||||||
|
|||||||
@ -332,8 +332,7 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
|
|||||||
files_read_config_files(mozilla_plugin_t)
|
files_read_config_files(mozilla_plugin_t)
|
||||||
files_read_usr_files(mozilla_plugin_t)
|
files_read_usr_files(mozilla_plugin_t)
|
||||||
|
|
||||||
# Would like to get rid of this but needed to talk to mislabeled tmpfs
|
fs_getattr_tmpfs(mozilla_plugin_t)
|
||||||
fs_rw_tmpfs_files(mozilla_plugin_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization(mozilla_plugin_t)
|
miscfiles_read_localization(mozilla_plugin_t)
|
||||||
miscfiles_read_fonts(mozilla_plugin_t)
|
miscfiles_read_fonts(mozilla_plugin_t)
|
||||||
@ -367,4 +366,3 @@ optional_policy(`
|
|||||||
xserver_read_xdm_pid(mozilla_plugin_t)
|
xserver_read_xdm_pid(mozilla_plugin_t)
|
||||||
xserver_stream_connect(mozilla_plugin_t)
|
xserver_stream_connect(mozilla_plugin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -45,27 +45,16 @@ interface(`nsplugin_manage_rw',`
|
|||||||
## <summary>
|
## <summary>
|
||||||
## The per role template for the nsplugin module.
|
## The per role template for the nsplugin module.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <desc>
|
|
||||||
## <p>
|
|
||||||
## This template creates a derived domains which are used
|
|
||||||
## for nsplugin web browser.
|
|
||||||
## </p>
|
|
||||||
## <p>
|
|
||||||
## This template is invoked automatically for each user, and
|
|
||||||
## generally does not need to be invoked directly
|
|
||||||
## by policy writers.
|
|
||||||
## </p>
|
|
||||||
## </desc>
|
|
||||||
## <param name="user_role">
|
## <param name="user_role">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The role associated with the user domain.
|
## The role associated with the user domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
|
## </param>
|
||||||
## <param name="user_domain">
|
## <param name="user_domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## The type of the user domain.
|
## The type of the user domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
## </param>
|
|
||||||
#
|
#
|
||||||
interface(`nsplugin_role_notrans',`
|
interface(`nsplugin_role_notrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
|
|||||||
@ -251,6 +251,10 @@ ifdef(`hide_broken_symptoms',`
|
|||||||
allow domain domain:key { link search };
|
allow domain domain:key { link search };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
hal_dontaudit_read_pid_files(domain)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
ifdef(`hide_broken_symptoms',`
|
ifdef(`hide_broken_symptoms',`
|
||||||
afs_rw_udp_sockets(domain)
|
afs_rw_udp_sockets(domain)
|
||||||
|
|||||||
@ -13,6 +13,13 @@ attribute unconfined_login_domain;
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_unconfined_nsplugin_transition, false)
|
gen_tunable(allow_unconfined_nsplugin_transition, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow vidio playing tools to tun unconfined
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(unconfined_mplayer, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow a user to login as an unconfined domain
|
## Allow a user to login as an unconfined domain
|
||||||
@ -435,6 +442,12 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
tunable_policy(`unconfined_login',`
|
||||||
|
mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -442,7 +442,7 @@ interface(`dbus_system_domain',`
|
|||||||
|
|
||||||
domtrans_pattern(system_dbusd_t, $2, $1)
|
domtrans_pattern(system_dbusd_t, $2, $1)
|
||||||
|
|
||||||
fs_search_cgroup_dirs($1)
|
fs_search_all($1)
|
||||||
|
|
||||||
dbus_system_bus_client($1)
|
dbus_system_bus_client($1)
|
||||||
dbus_connect_system_bus($1)
|
dbus_connect_system_bus($1)
|
||||||
|
|||||||
@ -1,3 +1,6 @@
|
|||||||
|
/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
|
||||||
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
||||||
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||||
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
|
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
|
||||||
@ -5,6 +8,7 @@
|
|||||||
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||||
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||||
|
|
||||||
|
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
||||||
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||||
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
||||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||||
|
|||||||
@ -120,3 +120,22 @@ interface(`milter_manage_spamass_state',`
|
|||||||
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
||||||
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Delete dkim-milter PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`milter_delete_dkim_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type dkim_milter_data_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
||||||
|
')
|
||||||
|
|||||||
@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
|
|||||||
attribute milter_domains;
|
attribute milter_domains;
|
||||||
attribute milter_data_type;
|
attribute milter_data_type;
|
||||||
|
|
||||||
|
# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
|
||||||
|
milter_template(dkim)
|
||||||
|
|
||||||
|
# type for the private key of dkim-milter
|
||||||
|
type dkim_milter_private_key_t;
|
||||||
|
files_type(dkim_milter_private_key_t)
|
||||||
|
|
||||||
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
||||||
milter_template(greylist)
|
milter_template(greylist)
|
||||||
milter_template(regex)
|
milter_template(regex)
|
||||||
@ -20,6 +27,23 @@ milter_template(spamass)
|
|||||||
type spamass_milter_state_t;
|
type spamass_milter_state_t;
|
||||||
files_type(spamass_milter_state_t)
|
files_type(spamass_milter_state_t)
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
#
|
||||||
|
# dkim-milter local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
allow dkim_milter_t self:capability { kill setgid setuid };
|
||||||
|
|
||||||
|
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(dkim_milter_t)
|
||||||
|
|
||||||
|
sysnet_dns_name_resolve(dkim_milter_t)
|
||||||
|
|
||||||
|
mta_read_config(dkim_milter_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# milter-greylist local policy
|
# milter-greylist local policy
|
||||||
|
|||||||
@ -189,6 +189,8 @@ optional_policy(`
|
|||||||
optional_policy(`
|
optional_policy(`
|
||||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||||
|
|
||||||
|
init_dbus_chat(NetworkManager_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
consolekit_dbus_chat(NetworkManager_t)
|
consolekit_dbus_chat(NetworkManager_t)
|
||||||
')
|
')
|
||||||
|
|||||||
@ -38,6 +38,7 @@ interface(`xserver_restricted_role',`
|
|||||||
|
|
||||||
allow $2 user_fonts_t:dir list_dir_perms;
|
allow $2 user_fonts_t:dir list_dir_perms;
|
||||||
allow $2 user_fonts_t:file read_file_perms;
|
allow $2 user_fonts_t:file read_file_perms;
|
||||||
|
allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
allow $2 user_fonts_config_t:dir list_dir_perms;
|
allow $2 user_fonts_config_t:dir list_dir_perms;
|
||||||
allow $2 user_fonts_config_t:file read_file_perms;
|
allow $2 user_fonts_config_t:file read_file_perms;
|
||||||
@ -164,6 +165,7 @@ interface(`xserver_role',`
|
|||||||
mls_xwin_read_to_clearance($2)
|
mls_xwin_read_to_clearance($2)
|
||||||
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||||
manage_files_pattern($2, user_fonts_t, user_fonts_t)
|
manage_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||||
|
allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
|
||||||
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
|
||||||
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
|
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
|
||||||
|
|
||||||
@ -551,6 +553,7 @@ interface(`xserver_use_user_fonts',`
|
|||||||
# Read per user fonts
|
# Read per user fonts
|
||||||
allow $1 user_fonts_t:dir list_dir_perms;
|
allow $1 user_fonts_t:dir list_dir_perms;
|
||||||
allow $1 user_fonts_t:file read_file_perms;
|
allow $1 user_fonts_t:file read_file_perms;
|
||||||
|
allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
|
||||||
|
|
||||||
# Manipulate the global font cache
|
# Manipulate the global font cache
|
||||||
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
|
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
|
||||||
|
|||||||
@ -882,6 +882,7 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
milter_delete_dkim_pid_files(initrc_t)
|
||||||
milter_setattr_all_dirs(initrc_t)
|
milter_setattr_all_dirs(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|||||||
@ -153,4 +153,5 @@ optional_policy(`
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
unconfined_domain(ldconfig_t)
|
unconfined_domain(ldconfig_t)
|
||||||
')'
|
')
|
||||||
|
|
||||||
|
|||||||
@ -112,7 +112,9 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
|
|||||||
|
|
||||||
files_read_usr_files(udev_t)
|
files_read_usr_files(udev_t)
|
||||||
files_read_etc_runtime_files(udev_t)
|
files_read_etc_runtime_files(udev_t)
|
||||||
files_read_etc_files(udev_t)
|
|
||||||
|
# console_init manages files in /etc/sysconfig
|
||||||
|
files_manage_etc_files(udev_t)
|
||||||
files_exec_etc_files(udev_t)
|
files_exec_etc_files(udev_t)
|
||||||
files_dontaudit_search_isid_type_dirs(udev_t)
|
files_dontaudit_search_isid_type_dirs(udev_t)
|
||||||
files_getattr_generic_locks(udev_t)
|
files_getattr_generic_locks(udev_t)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user