From ddd1ccaa9394dbe6b407192d892c9d461caa4c08 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 03 2010 11:48:01 +0000 Subject: Allow unconfined_t to transition to alsa_t to make sure labels stay correct Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge telepath_msn_t tries to read /proc/1/exe Allow smokeping cgi scripts to create /var/lib/smokeping dirs. Allow smbd_t to getquota on multiple file systems --- diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 69aa742..20d51d0 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -21,6 +21,32 @@ interface(`alsa_domtrans',` ######################################## ## +## Execute a domain transition to run +## Alsa, and allow the specified role +## the Alsa domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`alsa_run',` + gen_require(` + type alsa_t; + ') + + alsa_domtrans($1) + role $2 types alsa_t; +') + +######################################## +## ## Read and write Alsa semaphores. ## ## diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 47aa143..dfac7cc 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,7 +29,7 @@ interface(`mozilla_role',` allow mozilla_t $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; - mozilla_plugin_run(mozilla_t, $2) + mozilla_run_plugin(mozilla_t, $2) # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) @@ -140,6 +140,24 @@ interface(`mozilla_dontaudit_manage_user_home_files',` ######################################## ## +## Execute mozilla home directory content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mozilla_execute_user_home_files',` + gen_require(` + type mozilla_home_t; + ') + + can_exec($1, mozilla_home_t) +') + +######################################## +## ## Execmod mozilla home directory content. ## ## @@ -190,6 +208,7 @@ interface(`mozilla_domtrans_plugin',` ') domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + allow mozilla_plugin_t $1:process signull; ') @@ -216,8 +235,24 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; +') - allow mozilla_plugin_t $1:process signull; +######################################## +## +## Execute qemu unconfined programs in the role. +## +## +## +## The role to allow the mozilla_plugin domain. +## +## +# +interface(`mozilla_role_plugin',` + gen_require(` + type mozilla_plugin_t; + ') + + role $1 types mozilla_plugin_t; ') ######################################## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 70d899d..cc87b60 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -312,6 +312,7 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) @@ -365,6 +366,7 @@ userdom_rw_user_tmpfs_files(mozilla_plugin_t) userdom_delete_user_tmpfs_files(mozilla_plugin_t) userdom_stream_connect(mozilla_plugin_t) userdom_dontaudit_use_user_ptys(mozilla_plugin_t) +userdom_manage_user_tmp_sockets(mozilla_plugin_t) userdom_list_user_tmp(mozilla_plugin_t) userdom_read_user_tmp_files(mozilla_plugin_t) @@ -408,4 +410,5 @@ optional_policy(` xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) xserver_use_user_fonts(mozilla_plugin_t) + xserver_read_user_iceauth(mozilla_plugin_t) ') diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc index 63abc5c..717eb3f 100644 --- a/policy/modules/apps/nsplugin.fc +++ b/policy/modules/apps/nsplugin.fc @@ -1,5 +1,6 @@ HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te index 4e8a49e..1ca0e76 100644 --- a/policy/modules/apps/nsplugin.te +++ b/policy/modules/apps/nsplugin.te @@ -129,6 +129,7 @@ fs_getattr_xattr_fs(nsplugin_t) fs_search_auto_mountpoints(nsplugin_t) fs_rw_anon_inodefs_files(nsplugin_t) fs_list_inotifyfs(nsplugin_t) +fs_dontaudit_list_fusefs(nsplugin_t) storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) storage_dontaudit_getattr_removable_dev(nsplugin_t) @@ -180,6 +181,7 @@ optional_policy(` ') optional_policy(` + mozilla_execute_user_home_files(nsplugin_t) mozilla_read_user_home_files(nsplugin_t) mozilla_write_user_home_files(nsplugin_t) ') @@ -225,6 +227,7 @@ allow nsplugin_config_t self:fifo_file rw_file_perms; allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; dev_dontaudit_read_rand(nsplugin_config_t) +dev_dontaudit_rw_dri(nsplugin_config_t) fs_search_auto_mountpoints(nsplugin_config_t) fs_list_inotifyfs(nsplugin_config_t) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index 8d8d961..f4e1572 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -339,7 +339,7 @@ interface(`qemu_spec_domtrans',` ## ## ## -## The role to allow the PAM domain. +## The role to allow the qemu unconfined domain. ## ## # diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index 34a2b48..0b28cf8 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -77,6 +77,8 @@ files_read_usr_files(telepathy_msn_t) auth_use_nsswitch(telepathy_msn_t) +init_read_state(telepathy_msn_t) + libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index 0e47a85..31bbe95 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -22,13 +22,6 @@ gen_tunable(unconfined_mozilla_plugin_transition, false) ## ##

-## Transition unconfined user to telepathy confined domains. -##

-## -gen_tunable(unconfined_telepathy_transition, false) - -## -##

## Allow vidio playing tools to tun unconfined ##

## @@ -227,6 +220,10 @@ optional_policy(` ') optional_policy(` + alsa_run(unconfined_t, unconfined_r) +') + +optional_policy(` apache_run_helper(unconfined_t, unconfined_r) ') @@ -341,8 +338,10 @@ optional_policy(` optional_policy(` + mozilla_role_plugin(unconfined_r) + tunable_policy(`unconfined_mozilla_plugin_transition', ` - mozilla_run_plugin(unconfined_usertype, unconfined_r) + mozilla_domtrans_plugin(unconfined_usertype) ') ') @@ -373,7 +372,7 @@ optional_policy(` qemu_domtrans(unconfined_t) ',` qemu_domtrans_unconfined(unconfined_t) -') + ') ') optional_policy(` @@ -404,9 +403,7 @@ optional_policy(` ') optional_policy(` - tunable_policy(`unconfined_telepathy_transition', ` - telepathy_dbus_session_role(unconfined_r, unconfined_t) - ') + telepathy_dbus_session_role(unconfined_r, unconfined_t) ') optional_policy(` diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 300dffb..411a3ff 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -765,7 +765,7 @@ optional_policy(` ') optional_policy(` - smokeping_getattr_lib_files(httpd_t) + smokeping_read_lib_files(httpd_t) ') optional_policy(` diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index e4334a6..8e36be0 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -325,6 +325,7 @@ fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) +fs_get_all_fs_quotas(smbd_t) auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 058bfc9..247beaf 100644 --- a/policy/modules/services/smokeping.te +++ b/policy/modules/services/smokeping.te @@ -65,6 +65,7 @@ optional_policy(` allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; + manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 149e383..c411b5e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1432,25 +1432,6 @@ interface(`auth_read_login_records',` ######################################## ## -## Read login records files (/var/log/wtmp). -## -## -## -## Domain allowed access. -## -## -## -# -interface(`auth_dontaudit_read_login_records',` - gen_require(` - type wtmp_t; - ') - - dontaudit $1 wtmp_t:file read_file_perms; -') - -######################################## -## ## Do not audit attempts to read login records ## files (/var/log/wtmp). ##