diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index a2a105a..e460ebe 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2531,7 +2531,7 @@ interface(`fs_tmpfs_filetrans',` # interface(`fs_dontaudit_rw_tmpfs_files',` gen_require(` - type tmp_t; + type tmpfs_t; ') dontaudit $1 tmpfs_t:file { read write }; diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 12b652f..228f47d 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.1) +policy_module(filesystem,1.3.2) ######################################## # diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 6576760..daf0c41 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.2.1) +policy_module(bluetooth,1.2.2) ######################################## # @@ -195,6 +195,7 @@ domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_files(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) files_read_usr_files(bluetooth_helper_t) +files_search_tmp(bluetooth_helper_t) files_dontaudit_list_default(bluetooth_helper_t) libs_use_ld_so(bluetooth_helper_t) @@ -205,6 +206,20 @@ logging_send_syslog_msg(bluetooth_helper_t) miscfiles_read_localization(bluetooth_helper_t) miscfiles_read_fonts(bluetooth_helper_t) +ifdef(`targeted_policy',` + files_rw_generic_tmp_sockets(bluetooth_helper_t) + + fs_rw_tmpfs_files(bluetooth_helper_t) + + unconfined_stream_connect(bluetooth_helper_t) + + userdom_read_all_users_home_content_files(bluetooth_helper_t) + + optional_policy(` + xserver_stream_connect_xdm(bluetooth_helper_t) + ') +') + optional_policy(` dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t) dbus_connect_system_bus(bluetooth_helper_t) @@ -218,24 +233,3 @@ optional_policy(` optional_policy(` xserver_stream_connect_xdm(bluetooth_helper_t) ') - -ifdef(`TODO',` -allow bluetooth_helper_t tmp_t:dir search; - -ifdef(`strict_policy',` - ifdef(`xdm.te',` - allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write }; - ') -') -') dnl end TODO - -ifdef(`targeted_policy',` - files_rw_generic_tmp_sockets(bluetooth_helper_t) - allow bluetooth_helper_t tmpfs_t:file { read write }; - allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto; - userdom_read_all_users_home_content_files(bluetooth_helper_t) - - optional_policy(` - xserver_stream_connect_xdm(bluetooth_helper_t) - ') -') diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 79d3af0..52e2f92 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -304,6 +304,25 @@ interface(`unconfined_rw_pipes',` ######################################## ## +## Connect to the unconfined domain using +## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_stream_connect',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:unix_stream_socket connectto; +') + +######################################## +## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te index d6da5b4..e14e278 100644 --- a/refpolicy/policy/modules/system/unconfined.te +++ b/refpolicy/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined,1.3.1) +policy_module(unconfined,1.3.2) ######################################## #