From 5212892e229fb97a666699c9291af009302004af Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 26 2010 10:42:14 +0000 Subject: Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home Allow clamd to send signals to itself Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm. --- diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te index 910a3f4..0bbd523 100644 --- a/policy/modules/apps/firewallgui.te +++ b/policy/modules/apps/firewallgui.te @@ -24,37 +24,38 @@ manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) -files_manage_system_conf_files(firewallgui_t) -files_etc_filetrans_system_conf(firewallgui_t) - -corecmd_exec_shell(firewallgui_t) -corecmd_exec_bin(firewallgui_t) -consoletype_exec(firewallgui_t) - kernel_read_system_state(firewallgui_t) kernel_read_network_state(firewallgui_t) kernel_rw_net_sysctls(firewallgui_t) kernel_rw_kernel_sysctl(firewallgui_t) kernel_rw_vm_sysctls(firewallgui_t) +corecmd_exec_shell(firewallgui_t) +corecmd_exec_bin(firewallgui_t) +consoletype_exec(firewallgui_t) + +dev_read_urand(firewallgui_t) +dev_read_sysfs(firewallgui_t) + +files_manage_system_conf_files(firewallgui_t) +files_etc_filetrans_system_conf(firewallgui_t) files_read_etc_files(firewallgui_t) files_read_usr_files(firewallgui_t) files_search_kernel_modules(firewallgui_t) files_list_kernel_modules(firewallgui_t) +iptables_domtrans(firewallgui_t) +iptables_initrc_domtrans(firewallgui_t) + modutils_getattr_module_deps(firewallgui_t) -dev_read_urand(firewallgui_t) -dev_read_sysfs(firewallgui_t) +miscfiles_read_localization(firewallgui_t) + +userdom_dontaudit_search_user_home_dirs(firewallgui_t) nscd_dontaudit_search_pid(firewallgui_t) nscd_socket_use(firewallgui_t) -miscfiles_read_localization(firewallgui_t) - -iptables_domtrans(firewallgui_t) -iptables_initrc_domtrans(firewallgui_t) - optional_policy(` gnome_read_gconf_home_files(firewallgui_t) ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 7243acc..0b1ca38 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -346,8 +346,10 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) +userdom_delete_user_tmpfs_files(mozilla_plugin_t) userdom_stream_connect(mozilla_plugin_t) userdom_dontaudit_use_user_ptys(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) optional_policy(` alsa_read_rw_config(mozilla_plugin_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index f9af97c..532fa91 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t) allow clamd_t self:capability { kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; +allow clamd_t self:process signal; + allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms;