]> git.ipfire.org Git - people/stevee/selinux-policy.git/blobdiff - policy/modules/apps/sandbox.te
projects / people / stevee / selinux-policy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Remove module for chrome.
[people/stevee/selinux-policy.git] / policy / modules / apps / sandbox.te
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index 5e75113d5ea65755d593903482de3818eece1132..f5cb481aea4f0573a2636417891b8a34eecc5496 100644 (file)
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -40,7 +40,12 @@ files_type(sandbox_devpts_t)
 #
 # sandbox xserver policy
 #
-allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:process execstack;
+
+tunable_policy(`deny_execmem',`',`
+       allow sandbox_xserver_t self:process execmem;
+')
+
 allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
 allow sandbox_xserver_t self:shm create_shm_perms;
 allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -119,7 +124,11 @@ optional_policy(`
 # sandbox local policy
 #
 
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+       allow sandbox_domain self:process execmem;
+')
+
 allow sandbox_domain self:fifo_file manage_file_perms;
 allow sandbox_domain self:sem create_sem_perms;
 allow sandbox_domain self:shm create_shm_perms;
@@ -168,7 +177,11 @@ mta_dontaudit_read_spool_symlinks(sandbox_domain)
 #
 # sandbox_x_domain local policy
 #
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
+tunable_policy(`deny_execmem',`',`
+       allow sandbox_x_domain self:process execmem;
+')
+
 allow sandbox_x_domain self:fifo_file manage_file_perms;
 allow sandbox_x_domain self:sem create_sem_perms;
 allow sandbox_x_domain self:shm create_shm_perms;
@@ -341,10 +354,6 @@ optional_policy(`
        hal_dbus_chat(sandbox_x_client_t)
 ')
 
-optional_policy(`
-       nsplugin_read_rw_files(sandbox_x_client_t)
-')
-
 ########################################
 #
 # sandbox_web_client_t local policy
@@ -434,16 +443,6 @@ optional_policy(`
        hal_dbus_chat(sandbox_web_type)
 ')
 
-optional_policy(`
-       chrome_domtrans_sandbox(sandbox_web_type)
-')
-
-optional_policy(`
-       nsplugin_manage_rw(sandbox_web_type)
-       nsplugin_read_rw_files(sandbox_web_type)
-       nsplugin_rw_exec(sandbox_web_type)
-')
-
 optional_policy(`
        pulseaudio_stream_connect(sandbox_web_type)
        allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
@@ -479,10 +478,3 @@ corenet_tcp_connect_all_ports(sandbox_net_client_t)
 corenet_sendrecv_all_client_packets(sandbox_net_client_t)
 
 auth_use_nsswitch(sandbox_net_client_t)
-
-optional_policy(`
-       mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
-       mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
-       mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-       mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
-')
The IPFire selinux policy.