-policy_module(awstats, 1.3.0)
+policy_module(awstats, 1.3.1)
########################################
#
nscd_dontaudit_search_pid(awstats_t)
')
+optional_policy(`
+ squid_read_log(awstats_t)
+')
+
########################################
#
# awstats cgi script policy
-policy_module(calamaris, 1.6.0)
+policy_module(calamaris, 1.6.1)
########################################
#
userdom_dontaudit_list_user_home_dirs(calamaris_t)
-squid_read_log(calamaris_t)
-
optional_policy(`
apache_search_sys_content(calamaris_t)
')
optional_policy(`
mta_send_mail(calamaris_t)
')
+
+optional_policy(`
+ squid_read_log(calamaris_t)
+')
-policy_module(cdrecord, 2.3.0)
+policy_module(cdrecord, 2.3.1)
########################################
#
#
allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-allow cdrecord_t self:process { getcap getsched setsched sigkill };
+allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_dgram_socket create_socket_perms;
allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
# growisofs uses mkisofs
-corecmd_exec_bin(cdrecord_t)
+corecmd_exec_bin(cdrecord_t)
# allow searching for cdrom-drive
-dev_list_all_dev_nodes(cdrecord_t)
+dev_list_all_dev_nodes(cdrecord_t)
dev_read_sysfs(cdrecord_t)
domain_interactive_fd(cdrecord_t)
## <summary>Command-line CPU frequency settings.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## cpufreq-selector over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cpufreqselector_dbus_chat',`
+ gen_require(`
+ type cpufreqselector_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cpufreqselector_t:dbus send_msg;
+ allow cpufreqselector_t $1:dbus send_msg;
+')
-policy_module(cpufreqselector, 1.2.2)
+policy_module(cpufreqselector, 1.2.3)
########################################
#
-policy_module(kdumpgui, 1.0.0)
+policy_module(kdumpgui, 1.0.1)
########################################
#
# system-config-kdump local policy
#
+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
# for blkid.tab
files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+files_read_usr_files(kdumpgui_t)
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
auth_use_nsswitch(kdumpgui_t)
-consoletype_exec(kdumpgui_t)
-
-kdump_manage_config(kdumpgui_t)
-kdump_initrc_domtrans(kdumpgui_t)
-
logging_send_syslog_msg(kdumpgui_t)
miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
+optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
optional_policy(`
dev_rw_lvm_control(kdumpgui_t)
')
+optional_policy(`
+ kdump_manage_config(kdumpgui_t)
+ kdump_initrc_domtrans(kdumpgui_t)
+')
+
optional_policy(`
policykit_dbus_chat(kdumpgui_t)
')
')
files_search_tmp($1)
- allow $1 livecd_tmp_t:file rw_file_perms;
+ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
')
########################################
-policy_module(livecd, 1.0.0)
+policy_module(livecd, 1.0.1)
########################################
#
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ mozilla_run_plugin(mozilla_t, $2)
mozilla_dbus_chat($2)
optional_policy(`
dontaudit $1 mozilla_home_t:file manage_file_perms;
')
+########################################
+## <summary>
+## Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_exec_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ can_exec($1, mozilla_home_t)
+')
+
########################################
## <summary>
## Execmod mozilla home directory content.
domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
+########################################
+## <summary>
+## Execute a domain transition to run mozilla_plugin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+ type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+ class dbus send_msg;
+ ')
+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
+')
+
+########################################
+## <summary>
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mozilla_plugin domain.
+## </summary>
+## </param>
+#
+interface(`mozilla_run_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
+')
+
########################################
## <summary>
## Send and receive messages from
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+
+########################################
+## <summary>
+## Read mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Delete mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_delete_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
+')
-policy_module(mozilla, 2.3.1)
+policy_module(mozilla, 2.3.2)
########################################
#
## <desc>
## <p>
-## Control mozilla content access
+## Allow confined web browsers to read home directory content
## </p>
## </desc>
gen_tunable(mozilla_read_content, false)
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
userdom_user_home_content(mozilla_home_t)
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+ubac_constrained(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
corenet_tcp_sendrecv_ftp_port(mozilla_t)
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
userdom_read_user_home_content_files(mozilla_t)
userdom_read_user_home_content_symlinks(mozilla_t)
- ifdef(`enable_mls',`',`
+ ifndef(`enable_mls',`
fs_search_removable(mozilla_t)
fs_read_removable_files(mozilla_t)
fs_read_removable_symlinks(mozilla_t)
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
+
+########################################
+#
+# mozilla_plugin local policy
+#
+
+dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_read_network_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+corenet_all_recvfrom_netlabel(mozilla_plugin_t)
+corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
+corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
+dev_read_rand(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+# for nvidia driver
+dev_rw_xserver_misc(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+files_list_mnt(mozilla_plugin_t)
+
+fs_getattr_all_fs(mozilla_plugin_t)
+fs_list_dos(mozilla_plugin_t)
+fs_read_dos_files(mozilla_plugin_t)
+
+application_dontaudit_signull(mozilla_plugin_t)
+
+auth_use_nsswitch(mozilla_plugin_t)
+
+logging_send_syslog_msg(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_plugin_t self:process { execmem execstack };
+')
+
+tunable_policy(`allow_execstack',`
+ allow mozilla_plugin_t self:process { execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_plugin_t)
+ fs_manage_nfs_files(mozilla_plugin_t)
+ fs_manage_nfs_symlinks(mozilla_plugin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_plugin_t)
+ fs_manage_cifs_files(mozilla_plugin_t)
+ fs_manage_cifs_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+ java_exec(mozilla_plugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_read_user_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
+')
-policy_module(podsleuth, 1.4.0)
+policy_module(podsleuth, 1.4.1)
########################################
#
# podsleuth local policy
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
sysnet_dns_name_resolve(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
userdom_read_user_tmpfs_files(podsleuth_t)
optional_policy(`
#
interface(`pulseaudio_role',`
gen_require(`
- type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+ type pulseaudio_t, pulseaudio_exec_t;
class dbus { acquire_svc send_msg };
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
')
rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
')
-policy_module(pulseaudio, 1.3.0)
+policy_module(pulseaudio, 1.3.1)
########################################
#
## The role to allow the qemu domain.
## </summary>
## </param>
+## <rolecap/>
#
interface(`qemu_run',`
gen_require(`
qemu_domtrans($1)
role $2 types qemu_t;
-
- optional_policy(`
- samba_run_smb(qemu_t, $2, $3)
- ')
+ allow qemu_t $1:process signull;
+ allow $1 qemu_t:process signull;
')
########################################
-policy_module(qemu, 1.5.0)
+policy_module(qemu, 1.5.1)
########################################
#
## <desc>
## <p>
-## Allow qemu to user serial/parallel communication ports
+## Allow qemu to use serial/parallel communication ports
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
- corenet_udp_sendrecv_all_if(qemu_t)
- corenet_udp_sendrecv_all_nodes(qemu_t)
+ corenet_udp_sendrecv_generic_if(qemu_t)
+ corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
- corenet_udp_bind_all_nodes(qemu_t)
+ corenet_udp_bind_generic_node(qemu_t)
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
')
optional_policy(`
- samba_domtrans_smbd(qemu_t)
+ dbus_read_lib_files(qemu_t)
+')
+
+optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
')
optional_policy(`
xen_rw_image_files(qemu_t)
')
+optional_policy(`
+ xserver_read_xdm_pid(qemu_t)
+ xserver_stream_connect(qemu_t)
+')
+
########################################
#
# Unconfined qemu local policy
spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
')
+########################################
+## <summary>
+## Execute the rssh program
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_exec',`
+ gen_require(`
+ type rssh_exec_t;
+ ')
+
+ can_exec($1, rssh_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run rssh_chroot_helper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_domtrans_chroot_helper',`
+ gen_require(`
+ type rssh_chroot_helper_t, rssh_chroot_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t)
+')
+
########################################
## <summary>
## Read all users rssh read-only content.
-policy_module(rssh, 2.0.0)
+policy_module(rssh, 2.0.1)
########################################
#
ubac_constrained(rssh_t)
role system_r types rssh_t;
+type rssh_chroot_helper_t;
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
type rssh_devpts_t;
typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
miscfiles_read_localization(rssh_t)
+rssh_domtrans_chroot_helper(rssh_t)
+
ssh_rw_tcp_sockets(rssh_t)
ssh_rw_stream_sockets(rssh_t)
optional_policy(`
nis_use_ypbind(rssh_t)
')
+
+########################################
+#
+# rssh_chroot_helper local policy
+#
+
+allow rssh_chroot_helper_t self:capability { sys_chroot setuid };
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
+allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rssh_chroot_helper_t)
+
+files_read_etc_files(rssh_chroot_helper_t)
+
+auth_use_nsswitch(rssh_chroot_helper_t)
+
+logging_send_syslog_msg(rssh_chroot_helper_t)
+
+miscfiles_read_localization(rssh_chroot_helper_t)
-policy_module(sambagui, 1.0.0)
+policy_module(sambagui, 1.0.1)
########################################
#
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
-files_search_usr(sambagui_t)
+files_read_usr_files(sambagui_t)
auth_use_nsswitch(sambagui_t)
miscfiles_read_localization(sambagui_t)
-nscd_dontaudit_search_pid(sambagui_t)
-
-# handling with samba conf files
-samba_append_log(sambagui_t)
-samba_manage_config(sambagui_t)
-samba_manage_var_files(sambagui_t)
-samba_read_secrets(sambagui_t)
-samba_initrc_domtrans(sambagui_t)
-samba_domtrans_smbd(sambagui_t)
-samba_domtrans_nmbd(sambagui_t)
-
optional_policy(`
consoletype_exec(sambagui_t)
')
+optional_policy(`
+ nscd_dontaudit_search_pid(sambagui_t)
+')
+
optional_policy(`
policykit_dbus_chat(sambagui_t)
')
+
+optional_policy(`
+ # handling with samba conf files
+ samba_append_log(sambagui_t)
+ samba_manage_config(sambagui_t)
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+')
#
# /home
#
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
#
allow $1_screen_t self:udp_socket create_socket_perms;
# Internal screen networking
allow $1_screen_t self:fd use;
- allow $1_screen_t self:unix_stream_socket create_socket_perms;
+ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
allow $1_screen_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
# Create fifo
manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
allow $1_screen_t screen_home_t:dir list_dir_perms;
+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
+ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
allow $1_screen_t $3:process signal;
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-policy_module(screen, 2.3.0)
+policy_module(screen, 2.3.1)
########################################
#
-policy_module(slocate, 1.10.0)
+policy_module(slocate, 1.10.1)
#################################
#
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
files_getattr_all_pipes(locate_t)
files_getattr_all_sockets(locate_t)
HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
type telepathy_sofiasip_exec_t, telepathy_idle_exec_t;
+ type telepathy_logger_t, telepathy_logger_exec_t;
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
- type telepathy_sunshine_exec_t,telepathy_stream_engine_exec_t;
+ type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
type telepathy_msn_exec_t;
')
dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
-policy_module(telepathy, 1.0.0)
+policy_module(telepathy, 1.0.1)
########################################
#
userdom_user_home_content(telepathy_gabble_cache_home_t)
telepathy_domain_template(idle)
+telepathy_domain_template(logger)
+
+type telepathy_logger_cache_home_t;
+userdom_user_home_content(telepathy_logger_cache_home_t)
+
+type telepathy_logger_data_home_t;
+userdom_user_home_content(telepathy_logger_data_home_t)
+
telepathy_domain_template(mission_control)
type telepathy_mission_control_home_t;
corenet_sendrecv_generic_client_packets(telepathy_idle_t)
')
+#######################################
+#
+# Telepathy Logger local policy.
+#
+
+allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
+
+manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
+
+files_read_etc_files(telepathy_logger_t)
+files_read_usr_files(telepathy_logger_t)
+files_search_pids(telepathy_logger_t)
+
+fs_getattr_all_fs(telepathy_logger_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(telepathy_logger_t)
+ fs_manage_nfs_files(telepathy_logger_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(telepathy_logger_t)
+ fs_manage_cifs_files(telepathy_logger_t)
+')
+
#######################################
#
# Telepathy Mission-Control local policy.
/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
-policy_module(vmware, 2.3.0)
+policy_module(vmware, 2.3.1)
########################################
#
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
-manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
kernel_read_kernel_sysctls(vmware_host_t)
files_list_tmp(vmware_host_t)
files_read_etc_files(vmware_host_t)
files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
fs_getattr_all_fs(vmware_host_t)
fs_search_auto_mountpoints(vmware_host_t)
miscfiles_read_localization(vmware_host_t)
sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
- seutil_sigchld_newrole(vmware_host_t)
+ hostname_exec(vmware_host_t)
+')
+optional_policy(`
+ modutils_domtrans_insmod(vmware_host_t)
')
optional_policy(`
- udev_read_db(vmware_host_t)
+ samba_read_config(vmware_host_t)
')
optional_policy(`
- xserver_read_tmp_files(vmware_host_t)
- xserver_read_xdm_pid(vmware_host_t)
+ seutil_sigchld_newrole(vmware_host_t)
')
-ifdef(`TODO',`
-# VMWare need access to pcmcia devices for network
optional_policy(`
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+ shutdown_domtrans(vmware_host_t)
')
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
+
+optional_policy(`
+ udev_read_db(vmware_host_t)
+')
+
+optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
')
##############################
-policy_module(webalizer, 1.10.0)
+policy_module(webalizer, 1.10.1)
########################################
#
optional_policy(`
nscd_socket_use(webalizer_t)
')
+
+optional_policy(`
+ squid_read_log(webalizer_t)
+')
wine_domtrans($1)
role $2 types wine_t;
')
+
+########################################
+## <summary>
+## Read and write wine Shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ allow $1 wine_t:shm rw_shm_perms;
+')
-policy_module(wine, 1.8.0)
+policy_module(wine, 1.8.1)
########################################
#
')
optional_policy(`
- unconfined_domain_noaudit(wine_t)
+ policykit_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ unconfined_domain(wine_t)
')
optional_policy(`
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
- allow $3 $1_wm_t:process { signal sigchld };
+ allow $3 $1_wm_t:process { signal sigchld signull };
allow $1_wm_t $3:process { signull sigkill };
allow $1_wm_t $3:dbus send_msg;
auth_use_nsswitch($1_wm_t)
+ application_signull($1_wm_t)
+
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
-policy_module(wm, 1.1.0)
+policy_module(wm, 1.1.1)
########################################
#
allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
')
+########################################
+## <summary>
+## Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signull;
+')
+
########################################
## <summary>
## Send general signals to unprivileged user domains.
-policy_module(userdomain, 4.5.1)
+policy_module(userdomain, 4.5.2)
########################################
#