Allow gpg_pinentry_t to use fifo files of apps that transition to gpg_agent
Add mozilla_plugin_tmp_t Allow mozilla_plugin to interact with pulseaudio tmpfs_t Add apache labels for poodle Add boolean to allow apache to connect to memcache_port nagious sends signal and sigkill to system_mail_t
This commit is contained in:
Dan Walsh
parent
b631f26416
commit
ef98a37444
@ -54,6 +54,8 @@ interface(`gpg_role',`
|
||||
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
||||
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
||||
|
||||
allow gpg_pinentry_t $2:fifo_file { read write };
|
||||
|
||||
optional_policy(`
|
||||
gpg_pinentry_dbus_chat($2)
|
||||
')
|
||||
|
||||
@ -39,6 +39,9 @@ type mozilla_plugin_exec_t;
|
||||
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
||||
role system_r types mozilla_plugin_t;
|
||||
|
||||
type mozilla_plugin_tmp_t;
|
||||
files_tmp_file(mozilla_plugin_tmp_t)
|
||||
|
||||
permissive mozilla_plugin_t;
|
||||
|
||||
########################################
|
||||
@ -298,6 +301,10 @@ allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_
|
||||
|
||||
read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
||||
|
||||
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
||||
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
||||
files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
|
||||
|
||||
kernel_read_kernel_sysctls(mozilla_plugin_t)
|
||||
kernel_read_system_state(mozilla_plugin_t)
|
||||
kernel_request_load_module(mozilla_plugin_t)
|
||||
@ -313,11 +320,16 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
|
||||
files_read_config_files(mozilla_plugin_t)
|
||||
files_read_usr_files(mozilla_plugin_t)
|
||||
|
||||
# Would like to get rid of this but needed to talk to mislabeled tmpfs
|
||||
fs_rw_tmpfs_files(mozilla_plugin_t)
|
||||
|
||||
miscfiles_read_localization(mozilla_plugin_t)
|
||||
|
||||
term_getattr_all_ttys(mozilla_plugin_t)
|
||||
term_getattr_all_ptys(mozilla_plugin_t)
|
||||
|
||||
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
|
||||
|
||||
optional_policy(`
|
||||
nsplugin_domtrans(mozilla_plugin_t)
|
||||
nsplugin_rw_exec(mozilla_plugin_t)
|
||||
|
||||
@ -115,6 +115,7 @@ ifdef(`distro_debian', `
|
||||
/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/var/lib/poodle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
|
||||
/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
||||
|
||||
@ -78,6 +78,13 @@ gen_tunable(httpd_can_network_connect_cobbler, false)
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_network_connect_db, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd to connect to memcache server
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_network_memcache, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow httpd to act as a relay
|
||||
@ -515,6 +522,10 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_memcache',`
|
||||
corenet_tcp_connect_memcache_port(httpd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_can_network_relay',`
|
||||
# allow httpd to work as a relay
|
||||
corenet_tcp_connect_gopher_port(httpd_t)
|
||||
|
||||
@ -265,7 +265,8 @@ read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
|
||||
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
|
||||
|
||||
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
|
||||
allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
|
||||
|
||||
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
|
||||
|
||||
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
|
||||
|
||||
|
||||
@ -438,6 +438,25 @@ interface(`mta_signal_system_mail',`
|
||||
allow $1 system_mail_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send system mail client a kill signal
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`mta_kill_system_mail',`
|
||||
gen_require(`
|
||||
type system_mail_t;
|
||||
')
|
||||
|
||||
allow $1 system_mail_t:process sigkill;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute sendmail in the caller domain.
|
||||
|
||||
@ -122,6 +122,8 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
||||
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
||||
|
||||
mta_send_mail(nagios_t)
|
||||
mta_signal_system_mail(nagios_t)
|
||||
mta_kill_system_mail(nagios_t)
|
||||
|
||||
optional_policy(`
|
||||
netutils_kill_ping(nagios_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user