From da073333456c1446709d584314a4153c50ab4d0a Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 09 2010 13:55:31 +0000 Subject: Allow mozilla_plugin to create nsplugin_home_t directories Allow hugetlbfs_t to be on device_t file system Fix for ajaxterm policy Fix type in dbus_delete_pid_files Change openvpn to only allow search of users home dir --- diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 58899ca..ec6a1ff 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -355,6 +355,7 @@ optional_policy(` optional_policy(` nsplugin_domtrans(mozilla_plugin_t) nsplugin_rw_exec(mozilla_plugin_t) + nsplugin_manage_home_dirs(mozilla_plugin_t) nsplugin_manage_home_files(mozilla_plugin_t) ') diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if index 4dd9d05..c779d44 100644 --- a/policy/modules/apps/nsplugin.if +++ b/policy/modules/apps/nsplugin.if @@ -284,6 +284,24 @@ interface(`nsplugin_manage_home_files',` ######################################## ## +## manage nnsplugin home dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`nsplugin_manage_home_dirs',` + gen_require(` + type nsplugin_home_t; + ') + + manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) +') + +######################################## +## ## Allow attempts to read and write to ## nsplugin named pipes. ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 930062c..31ebaa7 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -102,6 +102,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); +dev_associate_sysfs(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te index cba5f93..3441758 100644 --- a/policy/modules/services/ajaxterm.te +++ b/policy/modules/services/ajaxterm.te @@ -30,7 +30,7 @@ allow ajaxterm_t self:fifo_file rw_fifo_file_perms; allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; allow ajaxterm_t self:tcp_socket create_stream_socket_perms; -allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom; +allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty(ajaxterm_t, ajaxterm_devpts_t) manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 63c82b7..87fc055 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -516,7 +516,7 @@ interface(`dbus_unconfined',` # interface(`dbus_delete_pid_files',` gen_require(` - type dbus_var_run_t; + type system_dbusd_var_run_t; ') delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 196f2a2..80161cd 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -125,7 +125,7 @@ userdom_read_home_certs(openvpn_t) userdom_attach_admin_tun_iface(openvpn_t) tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) + userdom_search_user_home_dirs(openvpn_t) ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`