files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)
+type mozilla_plugin_rw_t;
+files_type(mozilla_plugin_rw_t)
+
+type mozilla_plugin_config_t;
+type mozilla_plugin_config_exec_t;
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_connect_flash_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
+auth_use_nsswitch(mozilla_t)
+
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
-tunable_policy(`allow_execmem',`
- allow mozilla_t self:process { execmem execstack };
+tunable_policy(`allow_execstack',`
+ allow mozilla_t self:process execstack;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_t)
- fs_manage_nfs_files(mozilla_t)
- fs_manage_nfs_symlinks(mozilla_t)
+tunable_policy(`deny_execmem',`',`
+ allow mozilla_t self:process execmem;
')
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_t)
- fs_manage_cifs_files(mozilla_t)
- fs_manage_cifs_symlinks(mozilla_t)
-')
+userdom_home_manager(mozilla_t)
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
mplayer_read_user_home_files(mozilla_t)
')
-optional_policy(`
- nscd_socket_use(mozilla_t)
-')
-
-optional_policy(`
- nsplugin_manage_rw(mozilla_t)
- nsplugin_manage_home_files(mozilla_t)
-')
-
optional_policy(`
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
# mozilla_plugin local policy
#
-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+dontaudit mozilla_plugin_t self:capability sys_nice;
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
can_exec(mozilla_plugin_t, mozilla_home_t)
-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
corenet_tcp_bind_generic_node(mozilla_plugin_t)
corenet_udp_bind_generic_node(mozilla_plugin_t)
userdom_read_user_home_content_symlinks(mozilla_plugin_t)
userdom_read_home_certs(mozilla_plugin_t)
userdom_dontaudit_write_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
-tunable_policy(`allow_execmem',`
- allow mozilla_plugin_t self:process { execmem execstack };
+tunable_policy(`deny_execmem',`', `
+ allow mozilla_plugin_t self:process execmem;
')
tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
+ allow mozilla_plugin_t self:process execstack;
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
-')
+userdom_home_manager(mozilla_plugin_t)
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
optional_policy(`
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
')
optional_policy(`
mplayer_read_user_home_files(mozilla_plugin_t)
')
-optional_policy(`
- nsplugin_domtrans(mozilla_plugin_t)
- nsplugin_rw_exec(mozilla_plugin_t)
- nsplugin_manage_home_dirs(mozilla_plugin_t)
- nsplugin_manage_home_files(mozilla_plugin_t)
- nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
- nsplugin_user_home_filetrans(mozilla_plugin_t, file)
- nsplugin_read_rw_files(mozilla_plugin_t);
- nsplugin_signal(mozilla_plugin_t)
-')
-
optional_policy(`
pulseaudio_exec(mozilla_plugin_t)
pulseaudio_stream_connect(mozilla_plugin_t)
xserver_append_xdm_home_files(mozilla_plugin_t);
')
+########################################
+#
+# mozilla_plugin_config local policy
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
+
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
+
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
+
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
+
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
+
+files_read_etc_files(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
+files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
+
+auth_use_nsswitch(mozilla_plugin_config_t)
+
+miscfiles_read_localization(mozilla_plugin_config_t)
+miscfiles_read_fonts(mozilla_plugin_config_t)
+
+userdom_search_user_home_content(mozilla_plugin_config_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
+ typealias mozilla_home_t alias nsplugin_home_t;
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
+')
projects / people / stevee / selinux-policy.git / blobdiff