From c6fa935fd5dcfbce64fd879cb5d55756f1ea4d88 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Aug 31 2010 22:36:43 +0000 Subject: Fix sandbox tcp_socket calls to create_stream_socket_perms Dontaudit sandbox_xserver_t trying to get the kernel to load modules telepathy_msn sends dbus messages to networkmanager mailman_t trys to read /root/.config xserver tries to getpgid on processes that start it. pam_systemd causes /var/run/users to be called for all login programs. Must allow them to create directories --- diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te index 88a211a..8d4ac56 100644 --- a/policy/modules/apps/sandbox.te +++ b/policy/modules/apps/sandbox.te @@ -45,6 +45,8 @@ manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xs manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +kernel_dontaudit_request_load_module(sandbox_xserver_t) + corecmd_exec_bin(sandbox_xserver_t) corecmd_exec_shell(sandbox_xserver_t) @@ -238,7 +240,7 @@ userdom_use_user_ptys(sandbox_x_t) # # sandbox_x_client_t local policy # -allow sandbox_x_client_t self:tcp_socket create_socket_perms; +allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms; allow sandbox_x_client_t self:udp_socket create_socket_perms; allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; @@ -272,7 +274,7 @@ allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; allow sandbox_web_type self:process setsched; dontaudit sandbox_web_type self:process setrlimit; -allow sandbox_web_type self:tcp_socket create_socket_perms; +allow sandbox_web_type self:tcp_socket create_stream_socket_perms; allow sandbox_web_type self:udp_socket create_socket_perms; allow sandbox_web_type self:dbus { acquire_svc send_msg }; allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index 59867f6..7e8fd3a 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -80,6 +80,9 @@ sysnet_read_config(telepathy_msn_t) optional_policy(` dbus_system_bus_client(telepathy_msn_t) + optional_policy(` + networkmanager_dbus_chat(telepathy_msn_t) + ') ') optional_policy(` diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index b191ff7..ca3a848 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -239,6 +239,7 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) fs_list_inotifyfs(devicekit_power_t) +fs_getattr_all_fs(devicekit_power_t) term_use_all_terms(devicekit_power_t) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index af4d572..ac97ed9 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -81,6 +81,10 @@ optional_policy(` ') optional_policy(` + gnome_dontaudit_search_config(mailman_mail_t) +') + +optional_policy(` cron_read_pipes(mailman_mail_t) ') @@ -125,4 +129,4 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) -') \ No newline at end of file +') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 6ff8f25..a1d911d 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1164,6 +1164,8 @@ interface(`xserver_domtrans',` allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) + + allow xserver_t $1:process getpgid; ') ######################################## diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 06185fd..227958c 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -113,6 +113,7 @@ interface(`auth_login_pgm_domain',` userdom_manage_all_users_keys($1) files_list_var_lib($1) + manage_dirs_pattern($1, var_auth_t, var_auth_t) manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t)