From ef98a37444a2b4eec9efeef341b93ef6b9afe12e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 3 Sep 2010 17:06:40 -0400 Subject: [PATCH] Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent Add mozilla_plugin_tmp_t Allow mozilla_plugin to interact with pulseaudio tmpfs_t Add apache labels for poodle Add boolean to allow apache to connect to memcache_port nagious sends signal and sigkill to system_mail_t --- policy/modules/apps/gpg.if | 2 ++ policy/modules/apps/mozilla.te | 12 ++++++++++++ policy/modules/services/apache.fc | 1 + policy/modules/services/apache.te | 11 +++++++++++ policy/modules/services/dovecot.te | 3 ++- policy/modules/services/mta.if | 19 +++++++++++++++++++ policy/modules/services/nagios.te | 2 ++ 7 files changed, 49 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index 7c48fc5d..13d939a5 100644 --- a/policy/modules/apps/gpg.if +++ b/policy/modules/apps/gpg.if @@ -54,6 +54,8 @@ interface(`gpg_role',` manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + allow gpg_pinentry_t $2:fifo_file { read write }; + optional_policy(` gpg_pinentry_dbus_chat($2) ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index b2e4e0ca..52c2cce9 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -39,6 +39,9 @@ type mozilla_plugin_exec_t; application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) role system_r types mozilla_plugin_t; +type mozilla_plugin_tmp_t; +files_tmp_file(mozilla_plugin_tmp_t) + permissive mozilla_plugin_t; ######################################## @@ -298,6 +301,10 @@ allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file }) + kernel_read_kernel_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) kernel_request_load_module(mozilla_plugin_t) @@ -313,11 +320,16 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) +# Would like to get rid of this but needed to talk to mislabeled tmpfs +fs_rw_tmpfs_files(mozilla_plugin_t) + miscfiles_read_localization(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) +userdom_rw_user_tmpfs_files(mozilla_plugin_t) + optional_policy(` nsplugin_domtrans(mozilla_plugin_t) nsplugin_rw_exec(mozilla_plugin_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index b37de8e2..a46884d7 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -115,6 +115,7 @@ ifdef(`distro_debian', ` /var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/poodle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 08ec94ff..de4388ae 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -78,6 +78,13 @@ gen_tunable(httpd_can_network_connect_cobbler, false) ## gen_tunable(httpd_can_network_connect_db, false) +## +##

+## Allow httpd to connect to memcache server +##

+##
+gen_tunable(httpd_can_network_memcache, false) + ## ##

## Allow httpd to act as a relay @@ -515,6 +522,10 @@ tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') +tunable_policy(`httpd_can_network_memcache',` + corenet_tcp_connect_memcache_port(httpd_t) +') + tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 554ee5ac..c771d465 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -265,7 +265,8 @@ read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; -allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms; + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 01af7c3a..a9ebda27 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -438,6 +438,25 @@ interface(`mta_signal_system_mail',` allow $1 system_mail_t:process signal; ') +######################################## +##

+## Send system mail client a kill signal +## +## +## +## Domain allowed access. +## +## +# +# +interface(`mta_kill_system_mail',` + gen_require(` + type system_mail_t; + ') + + allow $1 system_mail_t:process sigkill; +') + ######################################## ## ## Execute sendmail in the caller domain. diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 0c4ac5be..10293892 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -122,6 +122,8 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) +mta_signal_system_mail(nagios_t) +mta_kill_system_mail(nagios_t) optional_policy(` netutils_kill_ping(nagios_t)