')
optional_policy(`
- nsplugin_manage_rw_files(prelink_t)
+ mozilla_plugin_manage_rw_files(prelink_t)
')
optional_policy(`
HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
#
# /lib
/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
+
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
interface(`mozilla_domtrans_plugin',`
gen_require(`
type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
class dbus send_msg;
')
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ domtrans_pattern($2, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
allow mozilla_plugin_t $1:process signull;
allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
allow $1 mozilla_plugin_t:fd use;
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
+ role $2 types mozilla_plugin_config_t;
')
#######################################
')
role $1 types mozilla_plugin_t;
+ role $1 types mozilla_plugin_config_t;
')
########################################
dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mozilla_plugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_manage_rw_files',`
+ gen_require(`
+ type mozilla_plugin_rw_t;
+ ')
+
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
+')
files_config_file(mozilla_conf_t)
type mozilla_home_t;
-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
files_poly_member(mozilla_home_t)
userdom_user_home_content(mozilla_home_t)
files_tmpfs_file(mozilla_plugin_tmpfs_t)
ubac_constrained(mozilla_plugin_tmpfs_t)
+type mozilla_plugin_rw_t alias nsplugin_rw_t;
+files_type(mozilla_plugin_rw_t)
+
+type mozilla_plugin_config_t;
+type mozilla_plugin_config_exec_t;
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
mplayer_read_user_home_files(mozilla_t)
')
-optional_policy(`
- nsplugin_manage_rw(mozilla_t)
- nsplugin_manage_home_files(mozilla_t)
-')
-
optional_policy(`
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
mplayer_read_user_home_files(mozilla_plugin_t)
')
-optional_policy(`
- nsplugin_domtrans(mozilla_plugin_t)
- nsplugin_rw_exec(mozilla_plugin_t)
- nsplugin_manage_home_dirs(mozilla_plugin_t)
- nsplugin_manage_home_files(mozilla_plugin_t)
- nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
- nsplugin_user_home_filetrans(mozilla_plugin_t, file)
- nsplugin_read_rw_files(mozilla_plugin_t);
- nsplugin_signal(mozilla_plugin_t)
-')
-
optional_policy(`
pulseaudio_exec(mozilla_plugin_t)
pulseaudio_stream_connect(mozilla_plugin_t)
xserver_append_xdm_home_files(mozilla_plugin_t);
')
+########################################
+#
+# mozilla_plugin_config local policy
+#
+
+allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem };
+
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
+
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
+
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_home_t, mozilla_plugin_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_home_t, mozilla_plugin_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_home_t, mozilla_plugin_home_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
+
+kernel_read_system_state(mozilla_plugin_config_t)
+kernel_request_load_module(mozilla_plugin_config_t)
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
+
+files_read_etc_files(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
+files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
+
+auth_use_nsswitch(mozilla_plugin_config_t)
+
+miscfiles_read_localization(mozilla_plugin_config_t)
+miscfiles_read_fonts(mozilla_plugin_config_t)
+
+userdom_search_user_home_content(mozilla_plugin_config_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
+')
dontaudit $1 sysfs_t:dir write;
')
+########################################
+## <summary>
+## Read cpu online hardware state information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read /sys/devices/system/cpu/online file.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
+ dev_search_sysfs($1)
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
########################################
## <summary>
## Read hardware state information.
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+type cpu_online_t;
+allow cpu_online_t sysfs_t:filesystem associate;
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+
#
# Type for /dev/tpm
#
allow domain self:process { fork getsched sigchld };
# Use trusted objects in /dev
+dev_read_cpu_online(domain)
dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)
#
attribute unconfined_login_domain;
-## <desc>
-## <p>
-## allow unconfined users to transition to the nsplugin domains when running nspluginviewer
-## </p>
-## </desc>
-gen_tunable(allow_unconfined_nsplugin_transition, false)
-
## <desc>
## <p>
## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
attribute unconfined_usertype;
')
- nsplugin_role_notrans(unconfined_r, unconfined_usertype)
- optional_policy(`
- tunable_policy(`allow_unconfined_nsplugin_transition',`
- nsplugin_domtrans(unconfined_usertype)
- nsplugin_domtrans_config(unconfined_usertype)
- ')
- ')
-
optional_policy(`
abrt_dbus_chat(unconfined_usertype)
abrt_run_helper(unconfined_usertype, unconfined_r)
mozilla_run_plugin(xguest_usertype, xguest_r)
')
-optional_policy(`
- nsplugin_role(xguest_r, xguest_t)
-')
-
optional_policy(`
pcscd_read_pub_files(xguest_usertype)
pcscd_stream_connect(xguest_usertype)
dbus_system_domain(abrt_t, abrt_exec_t)
')
-optional_policy(`
- nsplugin_read_rw_files(abrt_t)
- nsplugin_read_home(abrt_t)
-')
-
optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
mta_filetrans_home_content($1_usertype)
')
- optional_policy(`
- nsplugin_role($1_r, $1_usertype)
- ')
-
optional_policy(`
tunable_policy(`allow_user_mysql_connect',`
mysql_stream_connect($1_t)
projects / people / stevee / selinux-policy.git / commitdiff
