From 2bf7d82f60aaa53cae3921cfdae5099169021dae Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 19 2009 01:38:29 +0000 Subject: - More fixes for sandbox_web_t --- diff --git a/policy-F12.patch b/policy-F12.patch index b97f90e..110cd5a 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2465,8 +2465,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-17 12:55:18.000000000 -0400 -@@ -0,0 +1,318 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-18 21:30:00.000000000 -0400 +@@ -0,0 +1,319 @@ + +## policy for nsplugin + @@ -2706,6 +2706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type nsplugin_rw_t; + ') + ++ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) + read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) +') @@ -3809,8 +3810,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-18 11:29:38.000000000 -0400 -@@ -0,0 +1,323 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-18 21:31:34.000000000 -0400 +@@ -0,0 +1,324 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -3946,7 +3947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + +files_search_home(sandbox_x_domain) -+files_dontaudit_getattr_tmp_dirs(sandbox_x_domain) ++files_dontaudit_list_tmp(sandbox_x_domain) + +kernel_read_system_state(sandbox_x_domain) + @@ -4061,6 +4062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_connect_ftp_port(sandbox_web_client_t) +corenet_tcp_connect_ipp_port(sandbox_web_client_t) +corenet_tcp_connect_generic_port(sandbox_web_client_t) ++corenet_tcp_connect_sound_port(sandbox_web_client_t) +corenet_sendrecv_http_client_packets(sandbox_web_client_t) +corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t) +corenet_sendrecv_ftp_client_packets(sandbox_web_client_t) @@ -5319,7 +5321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 17:16:00.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 21:30:50.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -14536,6 +14538,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(pptp_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te +--- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-09-18 21:24:50.000000000 -0400 +@@ -123,6 +123,7 @@ + # prelude_audisp local policy + # + allow prelude_audisp_t self:capability dac_override; ++allow prelude_audisp_t self:process { getcap setcap }; + allow prelude_audisp_t self:fifo_file rw_file_perms; + allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; + allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-16 10:03:09.000000000 -0400