diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te index 90c754f..5725183 100644 --- a/policy/modules/apps/chrome.te +++ b/policy/modules/apps/chrome.te @@ -60,6 +60,8 @@ userdom_dontaudit_use_user_terminals(chrome_sandbox_t) miscfiles_read_localization(chrome_sandbox_t) miscfiles_read_fonts(chrome_sandbox_t) +sysnet_dontaudit_read_config(chrome_sandbox_t) + optional_policy(` execmem_exec(chrome_sandbox_t) ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index ec6a1ff..3018e86 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -315,6 +315,8 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +can_exec(mozilla_plugin_t, mozilla_exec_t) + kernel_read_kernel_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) kernel_request_load_module(mozilla_plugin_t) @@ -325,6 +327,8 @@ corecmd_exec_shell(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) dev_read_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) +dev_read_sound(mozilla_plugin_t) +dev_write_sound(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) @@ -345,11 +349,16 @@ userdom_stream_connect(mozilla_plugin_t) userdom_dontaudit_use_user_ptys(mozilla_plugin_t) optional_policy(` + alsa_read_rw_config(mozilla_plugin_t) +') + +optional_policy(` dbus_read_lib_files(mozilla_plugin_t) ') optional_policy(` gnome_manage_home_config(mozilla_plugin_t) + gnome_setattr_config_dirs(mozilla_plugin_t) ') optional_policy(` @@ -366,4 +375,5 @@ optional_policy(` optional_policy(` xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) ') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index c7250ae..4aea465 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -275,7 +275,7 @@ optional_policy(` # telepathy domains common policy # -allow telepathy_domain self:process { getsched signal }; +allow telepathy_domain self:process { getsched signal sigkill }; allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te index 54fada0..899feaf 100644 --- a/policy/modules/services/fprintd.te +++ b/policy/modules/services/fprintd.te @@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t) # Local policy # -allow fprintd_t self:capability sys_ptrace; +allow fprintd_t self:capability { sys_nice sys_ptrace }; allow fprintd_t self:fifo_file rw_fifo_file_perms; -allow fprintd_t self:process { getsched signal }; +allow fprintd_t self:process { getsched setsched signal }; manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 63c1b2f..1f0ccfd 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -11,6 +11,7 @@ ifdef(`distro_gentoo',` /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)