* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/contrib/chromium/, ...
@ 2012-07-23 20:27 Sven Vermeulen
0 siblings, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2012-07-23 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 1d887ec84d39722f7ef8929bb2b3f925f5043f00
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jul 22 08:37:06 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jul 22 08:37:06 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d887ec8
Adding in SELinux policy for chromium
---
policy/modules/contrib/chromium.autogen | 9 ++
policy/modules/contrib/chromium.fc | 6 +
policy/modules/contrib/chromium.if | 78 +++++++++++
policy/modules/contrib/chromium.te | 142 ++++++++++++++++++++
.../chromium/chromium_domtrans.autogen.iface | 19 +++
policy/modules/contrib/chromium/chromium_role.part | 32 +++++
.../contrib/chromium/chromium_run.autogen.iface | 23 +++
policy/modules/roles/staff.te | 4 +
policy/modules/roles/unprivuser.te | 4 +
policy/modules/system/unconfined.te | 4 +
10 files changed, 321 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/chromium.autogen b/policy/modules/contrib/chromium.autogen
new file mode 100644
index 0000000..aeac21e
--- /dev/null
+++ b/policy/modules/contrib/chromium.autogen
@@ -0,0 +1,9 @@
+MODULE=chromium
+SUBDOMAINS=
+DESCRIPTION=Chromium browser
+
+chromium.DOMAIN=chromium_t
+chromium.EXEC=chromium_exec_t
+
+chromium.GENTYPES=
+chromium.METHODS=domtrans
diff --git a/policy/modules/contrib/chromium.fc b/policy/modules/contrib/chromium.fc
new file mode 100644
index 0000000..9ec35a2
--- /dev/null
+++ b/policy/modules/contrib/chromium.fc
@@ -0,0 +1,6 @@
+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:chromium_exec_t,s0)
+
+# Although this should be in the core definitions, it makes more sense to
+# logically keep it close to the module(s) that use it.
+
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
new file mode 100644
index 0000000..d082b5c
--- /dev/null
+++ b/policy/modules/contrib/chromium.if
@@ -0,0 +1,78 @@
+## <summary>
+## Chromium browser
+## </summary>
+
+#######################################
+## <summary>
+## Role access for chromium
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chromium_role',`
+ gen_require(`
+ type chromium_t;
+ type chromium_renderer_t;
+ type chromium_exec_t;
+ ')
+
+ role $1 types chromium_t;
+ role $1 types chromium_renderer_t;
+
+ # Transition from the user domain to the derived domain
+ chromium_domtrans($2)
+
+ # Allow ps to show chromium processes and allow the user to signal it
+ ps_process_pattern($2, chromium_t)
+ allow $2 chromium_t:process signal_perms;
+')
+#######################################
+## <summary>
+## Execute a domain transition to the chromium domain (chromium_t)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_domtrans',`
+ gen_require(`
+ type chromium_t;
+ type chromium_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chromium_exec_t, chromium_t)
+')
+#######################################
+## <summary>
+## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_run',`
+ gen_require(`
+ type chromium_t;
+ ')
+
+ chromium_domtrans($1)
+ role $2 types chromium_t;
+')
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
new file mode 100644
index 0000000..1e51d7d
--- /dev/null
+++ b/policy/modules/contrib/chromium.te
@@ -0,0 +1,142 @@
+policy_module(chromium-browser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chromium_t;
+domain_dyntrans_type(chromium_t);
+
+type chromium_exec_t;
+application_domain(chromium_t, chromium_exec_t);
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t);
+
+type chromium_tmp_t;
+userdom_user_tmp_file(chromium_tmp_t);
+
+type chromium_tmpfs_t;
+userdom_user_tmpfs_file(chromium_tmpfs_t);
+
+########################################
+#
+# chromium local policy
+#
+
+allow chromium_t self:fifo_file rw_fifo_file_perms;;
+allow chromium_t self:process { getsched setsched signal };
+
+allow chromium_t chromium_exec_t:file execute_no_trans;
+allow chromium_t chromium_renderer_t:dir list_dir_perms;
+allow chromium_t chromium_renderer_t:file read_file_perms;
+allow chromium_t chromium_renderer_t:fd use;
+allow chromium_t chromium_renderer_t:process signal_perms;
+allow chromium_t chromium_renderer_t:shm rw_shm_perms;
+allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
+allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
+
+dontaudit chromium_t self:process execmem;
+
+manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
+manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
+manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
+manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
+files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir });
+
+manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t);
+fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set);
+fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set);
+
+dyntrans_pattern(chromium_t, chromium_renderer_t);
+
+kernel_read_kernel_sysctls(chromium_t);
+
+corecmd_exec_bin(chromium_t);
+corecmd_exec_shell(chromium_t);
+
+corenet_tcp_connect_all_unreserved_ports(chromium_t);
+corenet_tcp_connect_ftp_port(chromium_t);
+corenet_tcp_connect_http_port(chromium_t);
+
+dev_read_sysfs(chromium_t);
+dev_read_urand(chromium_t);
+
+files_list_home(chromium_t);
+files_read_etc_files(chromium_t);
+files_read_etc_runtime_files(chromium_t);
+files_read_usr_files(chromium_t);
+
+fs_dontaudit_getattr_xattr_fs(chromium_t);
+
+miscfiles_read_localization(chromium_t);
+
+seutil_libselinux_linked(chromium_t);
+
+sysnet_dns_name_resolve(chromium_t);
+sysnet_read_config(chromium_t);
+
+userdom_manage_user_home_content_dirs(chromium_t);
+userdom_manage_user_home_content_files(chromium_t);
+userdom_use_user_ptys(chromium_t);
+
+xdg_manage_generic_cache_home_content(chromium_t);
+xdg_manage_generic_config_home_content(chromium_t);
+xdg_manage_generic_data_home_content(chromium_t);
+
+xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t);
+xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t);
+
+optional_policy(`
+ cups_read_config(chromium_t);
+ cups_stream_connect(chromium_t);
+')
+
+optional_policy(`
+ dbus_session_bus_client(chromium_t);
+ dbus_system_bus_client(chromium_t);
+
+ optional_policy(`
+ unconfined_dbus_chat(chromium_t);
+ ')
+')
+
+
+########################################
+#
+# chromium_renderer local policy
+#
+
+allow chromium_renderer_t self:process execmem;
+
+allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
+allow chromium_renderer_t self:shm create_shm_perms;
+allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
+allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
+
+allow chromium_renderer_t chromium_t:fd use;
+allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
+allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
+
+dontaudit chromium_renderer_t chromium_t:dir search;
+dontaudit chromium_renderer_t self:process getsched;
+
+kernel_dontaudit_read_system_state(chromium_renderer_t);
+kernel_dontaudit_search_sysctl(chromium_renderer_t);
+
+dev_read_urand(chromium_renderer_t);
+
+files_list_tmp(chromium_renderer_t);
+
+files_dontaudit_read_all_symlinks(chromium_renderer_t);
+files_dontaudit_search_var(chromium_renderer_t);
+
+init_sigchld(chromium_renderer_t);
+
+miscfiles_read_fonts(chromium_renderer_t);
+miscfiles_read_localization(chromium_renderer_t);
+
+userdom_dontaudit_use_user_ptys(chromium_renderer_t);
+
+xdg_read_generic_config_home_files(chromium_renderer_t);
diff --git a/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface b/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface
new file mode 100644
index 0000000..8652e30
--- /dev/null
+++ b/policy/modules/contrib/chromium/chromium_domtrans.autogen.iface
@@ -0,0 +1,19 @@
+#######################################
+## <summary>
+## Execute a domain transition to the chromium domain (chromium_t)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_domtrans',`
+ gen_require(`
+ type chromium_t;
+ type chromium_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chromium_exec_t, chromium_t)
+')
diff --git a/policy/modules/contrib/chromium/chromium_role.part b/policy/modules/contrib/chromium/chromium_role.part
new file mode 100644
index 0000000..8d679f1
--- /dev/null
+++ b/policy/modules/contrib/chromium/chromium_role.part
@@ -0,0 +1,32 @@
+#######################################
+## <summary>
+## Role access for chromium
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chromium_role',`
+ gen_require(`
+ type chromium_t;
+ type chromium_renderer_t;
+ type chromium_exec_t;
+ ')
+
+ role $1 types chromium_t;
+ role $1 types chromium_renderer_t;
+
+ # Transition from the user domain to the derived domain
+ chromium_domtrans($2)
+
+ # Allow ps to show chromium processes and allow the user to signal it
+ ps_process_pattern($2, chromium_t)
+ allow $2 chromium_t:process signal_perms;
+')
diff --git a/policy/modules/contrib/chromium/chromium_run.autogen.iface b/policy/modules/contrib/chromium/chromium_run.autogen.iface
new file mode 100644
index 0000000..c737b3f
--- /dev/null
+++ b/policy/modules/contrib/chromium/chromium_run.autogen.iface
@@ -0,0 +1,23 @@
+#######################################
+## <summary>
+## Execute chromium in the chromium domain and allow the specified role to access the chromium domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_run',`
+ gen_require(`
+ type chromium_t;
+ ')
+
+ chromium_domtrans($1)
+ role $2 types chromium_t;
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index b625c18..25807b6 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
')
optional_policy(`
+ chromium_role(staff_r, staff_t)
+')
+
+optional_policy(`
dbadm_role_change(staff_r)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 59428ec..8029449 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -17,6 +17,10 @@ optional_policy(`
')
optional_policy(`
+ chromium_role(user_r, user_t)
+')
+
+optional_policy(`
git_role(user_r, user_t)
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 70ac50b..1167b73 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -72,6 +72,10 @@ optional_policy(`
')
optional_policy(`
+ chromium_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
cron_unconfined_role(unconfined_r, unconfined_t)
')
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/contrib/chromium/, ...
@ 2012-07-23 20:27 Sven Vermeulen
0 siblings, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2012-07-23 20:27 UTC (permalink / raw
To: gentoo-commits
commit: 79c78ad01cfcdbd3015fbccec278b2cdc0474d74
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 23 20:26:49 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jul 23 20:26:49 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=79c78ad0
Slew of changes for chromium
---
policy/modules/contrib/chromium.if | 19 +++
policy/modules/contrib/chromium.te | 149 ++++++++++++--------
policy/modules/contrib/chromium/chromium_role.part | 2 +
.../contrib/chromium/chromium_rw_tmp_pipes.part | 17 +++
policy/modules/contrib/java.if | 26 ++++
policy/modules/contrib/java.te | 17 ++-
policy/modules/contrib/mozilla.if | 39 +++++
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/kernel/files.if | 19 +++
policy/modules/kernel/kernel.if | 18 +++
policy/modules/system/getty.if | 18 +++
11 files changed, 266 insertions(+), 60 deletions(-)
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
index d082b5c..e06004d 100644
--- a/policy/modules/contrib/chromium.if
+++ b/policy/modules/contrib/chromium.if
@@ -32,7 +32,26 @@ interface(`chromium_role',`
# Allow ps to show chromium processes and allow the user to signal it
ps_process_pattern($2, chromium_t)
+ ps_process_pattern($2, chromium_renderer_t)
allow $2 chromium_t:process signal_perms;
+ allow $2 chromium_renderer_t:process signal_perms;
+')
+#######################################
+## <summary>
+## Read-write access to Chromiums' temporary fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_rw_tmp_pipes',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')
#######################################
## <summary>
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index b7c6ea6..05aa860 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -6,19 +6,19 @@ policy_module(chromium-browser, 1.0.0)
#
type chromium_t;
-domain_dyntrans_type(chromium_t);
+domain_dyntrans_type(chromium_t)
type chromium_exec_t;
-application_domain(chromium_t, chromium_exec_t);
+application_domain(chromium_t, chromium_exec_t)
type chromium_renderer_t;
-domain_base_type(chromium_renderer_t);
+domain_base_type(chromium_renderer_t)
type chromium_tmp_t;
-userdom_user_tmp_file(chromium_tmp_t);
+userdom_user_tmp_file(chromium_tmp_t)
type chromium_tmpfs_t;
-userdom_user_tmpfs_file(chromium_tmpfs_t);
+userdom_user_tmpfs_file(chromium_tmpfs_t)
type chromium_xdg_config_t;
xdg_config_home_content(chromium_xdg_config_t)
@@ -33,83 +33,104 @@ allow chromium_t self:process { getsched setsched signal };
allow chromium_t chromium_exec_t:file execute_no_trans;
allow chromium_t chromium_renderer_t:dir list_dir_perms;
-allow chromium_t chromium_renderer_t:file read_file_perms;
+allow chromium_t chromium_renderer_t:file rw_file_perms;
allow chromium_t chromium_renderer_t:fd use;
allow chromium_t chromium_renderer_t:process signal_perms;
allow chromium_t chromium_renderer_t:shm rw_shm_perms;
allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
-dontaudit chromium_t self:process execmem;
+allow chromium_t self:process execmem; # Load in plugins
-manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
-manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
-manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
-manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t);
-files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir });
+# tmp has a wide class access (used for plugins)
+manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
-manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t);
-fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set);
-fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set);
+manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, notdevfile_class_set)
+fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, notdevfile_class_set)
manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
xdg_config_home_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
-dyntrans_pattern(chromium_t, chromium_renderer_t);
+dyntrans_pattern(chromium_t, chromium_renderer_t)
-kernel_read_kernel_sysctls(chromium_t);
+kernel_read_kernel_sysctls(chromium_t)
-corecmd_exec_bin(chromium_t);
-corecmd_exec_shell(chromium_t);
+corecmd_exec_bin(chromium_t)
+corecmd_exec_shell(chromium_t)
-corenet_tcp_connect_all_unreserved_ports(chromium_t);
-corenet_tcp_connect_ftp_port(chromium_t);
-corenet_tcp_connect_http_port(chromium_t);
+corenet_tcp_connect_all_unreserved_ports(chromium_t)
+corenet_tcp_connect_ftp_port(chromium_t)
+corenet_tcp_connect_http_port(chromium_t)
-dev_read_sysfs(chromium_t);
-dev_read_urand(chromium_t);
+dev_read_sound(chromium_t)
+dev_write_sound(chromium_t)
+dev_read_sysfs(chromium_t)
+dev_read_urand(chromium_t)
-files_list_home(chromium_t);
-files_read_etc_files(chromium_t);
-files_read_etc_runtime_files(chromium_t);
-files_read_usr_files(chromium_t);
+domain_dontaudit_search_all_domains_state(chromium_t)
-fs_dontaudit_getattr_xattr_fs(chromium_t);
+files_list_home(chromium_t)
+files_read_usr_files(chromium_t)
+files_read_etc_files(chromium_t)
+files_read_etc_runtime_files(chromium_t)
-miscfiles_read_localization(chromium_t);
+fs_dontaudit_getattr_xattr_fs(chromium_t)
-seutil_libselinux_linked(chromium_t);
+getty_dontaudit_use_fds(chromium_t)
-sysnet_dns_name_resolve(chromium_t);
-sysnet_read_config(chromium_t);
+miscfiles_read_localization(chromium_t)
-userdom_manage_user_home_content_dirs(chromium_t);
-userdom_manage_user_home_content_files(chromium_t);
-userdom_use_user_ptys(chromium_t);
+seutil_libselinux_linked(chromium_t)
-xdg_manage_generic_cache_home_content(chromium_t);
-#xdg_manage_generic_config_home_content(chromium_t);
-xdg_manage_generic_data_home_content(chromium_t);
+sysnet_dns_name_resolve(chromium_t)
-xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t);
-xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t);
+userdom_manage_user_home_content_dirs(chromium_t)
+userdom_manage_user_home_content_files(chromium_t)
+# Debugging. Also on user_tty_device_t if X is started through "startx" for
+# instance
+userdom_use_user_terminals(chromium_t)
+
+xdg_manage_generic_cache_home_content(chromium_t)
+#xdg_manage_generic_config_home_content(chromium_t)
+xdg_read_generic_config_home_files(chromium_t)
+xdg_manage_generic_data_home_content(chromium_t)
+
+xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
optional_policy(`
- cups_read_config(chromium_t);
- cups_stream_connect(chromium_t);
+ alsa_read_rw_config(chromium_t)
')
optional_policy(`
- dbus_session_bus_client(chromium_t);
- dbus_system_bus_client(chromium_t);
+ cups_read_config(chromium_t)
+ cups_stream_connect(chromium_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(chromium_t)
+ dbus_system_bus_client(chromium_t)
optional_policy(`
- unconfined_dbus_chat(chromium_t);
+ unconfined_dbus_chat(chromium_t)
')
')
+optional_policy(`
+ java_noatsecure_domtrans(chromium_t)
+')
+
+optional_policy(`
+ # Chromium reads in .mozilla for user plugins
+ mozilla_read_user_home(chromium_t)
+')
########################################
#
@@ -127,24 +148,36 @@ allow chromium_renderer_t chromium_t:fd use;
allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
-dontaudit chromium_renderer_t chromium_t:dir search;
+dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
dontaudit chromium_renderer_t self:process getsched;
-kernel_dontaudit_read_system_state(chromium_renderer_t);
-kernel_dontaudit_search_sysctl(chromium_renderer_t);
+kernel_dontaudit_read_system_state(chromium_renderer_t)
+kernel_dontaudit_search_sysctl(chromium_renderer_t)
+# Currently needed due to java plugins
+kernel_read_kernel_sysctls(chromium_renderer_t)
+
+dev_read_urand(chromium_renderer_t)
-dev_read_urand(chromium_renderer_t);
+files_list_tmp(chromium_renderer_t)
+files_read_etc_files(chromium_renderer_t)
+files_read_usr_files(chromium_renderer_t)
+files_search_var(chromium_renderer_t)
-files_list_tmp(chromium_renderer_t);
+#files_dontaudit_read_all_symlinks(chromium_renderer_t)
+# was dontaudited, perhaps needed for plugins?
+#files_search_var(chromium_renderer_t)
-files_dontaudit_read_all_symlinks(chromium_renderer_t);
-files_dontaudit_search_var(chromium_renderer_t);
+init_sigchld(chromium_renderer_t)
-init_sigchld(chromium_renderer_t);
+miscfiles_read_localization(chromium_renderer_t)
-miscfiles_read_fonts(chromium_renderer_t);
-miscfiles_read_localization(chromium_renderer_t);
+userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
+userdom_use_user_terminals(chromium_renderer_t)
-userdom_dontaudit_use_user_ptys(chromium_renderer_t);
+xdg_read_generic_config_home_files(chromium_renderer_t)
-xdg_read_generic_config_home_files(chromium_renderer_t);
+xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
+
+optional_policy(`
+ alsa_read_rw_config(chromium_renderer_t)
+')
diff --git a/policy/modules/contrib/chromium/chromium_role.part b/policy/modules/contrib/chromium/chromium_role.part
index 8d679f1..ecb4783 100644
--- a/policy/modules/contrib/chromium/chromium_role.part
+++ b/policy/modules/contrib/chromium/chromium_role.part
@@ -28,5 +28,7 @@ interface(`chromium_role',`
# Allow ps to show chromium processes and allow the user to signal it
ps_process_pattern($2, chromium_t)
+ ps_process_pattern($2, chromium_renderer_t)
allow $2 chromium_t:process signal_perms;
+ allow $2 chromium_renderer_t:process signal_perms;
')
diff --git a/policy/modules/contrib/chromium/chromium_rw_tmp_pipes.part b/policy/modules/contrib/chromium/chromium_rw_tmp_pipes.part
new file mode 100644
index 0000000..9d35d25
--- /dev/null
+++ b/policy/modules/contrib/chromium/chromium_rw_tmp_pipes.part
@@ -0,0 +1,17 @@
+#######################################
+## <summary>
+## Read-write access to Chromiums' temporary fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`chromium_rw_tmp_pipes',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
+')
diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index e6d84e8..b338aec 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -115,6 +115,32 @@ template(`java_domtrans',`
########################################
## <summary>
+## Run java in javaplugin domain and
+## do not clean the environment (atsecure)
+## </summary>
+## <desc>
+## <p>
+## This is needed when java is called by an application with library
+## settings (such as is the case when invoked as a browser plugin)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+template(`java_noatsecure_domtrans',`
+ gen_require(`
+ type java_t;
+ ')
+
+ allow $1 java_t:process noatsecure;
+
+ java_domtrans($1)
+')
+########################################
+## <summary>
## Execute java in the java domain, and
## allow the specified role the java domain.
## </summary>
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index bce6b38..50b7605 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -39,6 +39,7 @@ init_system_domain(unconfined_java_t, java_exec_t)
allow java_t self:process { signal_perms getsched setsched execmem };
allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:sem create_sem_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;
@@ -97,7 +98,7 @@ miscfiles_read_fonts(java_t)
sysnet_read_config(java_t)
-userdom_dontaudit_use_user_terminals(java_t)
+userdom_use_user_terminals(java_t)
userdom_dontaudit_setattr_user_home_content_files(java_t)
userdom_dontaudit_exec_user_home_content_files(java_t)
userdom_manage_user_home_content_dirs(java_t)
@@ -120,6 +121,20 @@ tunable_policy(`allow_java_execstack',`
')
optional_policy(`
+ alsa_read_rw_config(java_t)
+')
+
+optional_policy(`
+ # Plugin communication
+ chromium_rw_tmp_pipes(java_t)
+')
+
+optional_policy(`
+ # Plugin communication
+ mozilla_rw_tmp_pipes(java_t)
+')
+
+optional_policy(`
nis_use_ypbind(java_t)
')
diff --git a/policy/modules/contrib/mozilla.if b/policy/modules/contrib/mozilla.if
index b397fde..421f434 100644
--- a/policy/modules/contrib/mozilla.if
+++ b/policy/modules/contrib/mozilla.if
@@ -60,6 +60,27 @@ interface(`mozilla_role',`
## </summary>
## </param>
#
+interface(`mozilla_read_user_home',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ list_dirs_pattern($1, mozilla_home_t, mozilla_home_t)
+ read_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+
+########################################
+## <summary>
+## Read mozilla home directory files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`mozilla_read_user_home_files',`
gen_require(`
type mozilla_home_t;
@@ -300,3 +321,21 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
allow $1 mozilla_plugin_tmpfs_t:file unlink;
')
+
+########################################
+## <summary>
+## Read/write to mozilla's tmp fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_rw_tmp_pipes',`
+ gen_require(`
+ type mozilla_tmp_t;
+ ')
+
+ rw_fifo_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t)
+')
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 22b659a..b6fedc8 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -275,7 +275,7 @@ optional_policy(`
')
optional_policy(`
- java_domtrans(mozilla_t)
+ java_noatsecure_domtrans(mozilla_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index aa56096..b35f15d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2594,6 +2594,25 @@ interface(`files_manage_etc_dirs',`
########################################
## <summary>
+## Do not audit attempts to read files
+## in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4bf45cb..b28953e 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1843,6 +1843,24 @@ interface(`kernel_read_crypto_sysctls',`
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
')
+#######################################
+## <summary>
+## Do not audit attempted reading of kernel sysctls
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit accesses from
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_kernel_sysctls',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:file read_file_perms;
+')
+
########################################
## <summary>
## Read general kernel sysctls.
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index e4376aa..7fa1f01 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -21,6 +21,24 @@ interface(`getty_domtrans',`
########################################
## <summary>
+## Do not audit the use of getty file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_dontaudit_use_fds',`
+ gen_require(`
+ type getty_t;
+ ')
+
+ dontaudit $1 getty_t:fd use;
+')
+
+########################################
+## <summary>
## Inherit and use getty file descriptors.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/contrib/chromium/, ...
@ 2012-07-25 9:51 Sven Vermeulen
0 siblings, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2012-07-25 9:51 UTC (permalink / raw
To: gentoo-commits
commit: be20817c3ec53d84be19c643d810fd6643325d4b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 25 09:50:45 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 25 09:50:45 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be20817c
Updates on browser policy, mainly trying to get java plugins working properly
---
policy/modules/contrib/chromium.if | 29 ++++++++++++
policy/modules/contrib/chromium.te | 49 ++++++++++++-------
.../contrib/chromium/chromium_tmp_filetrans.part | 29 ++++++++++++
policy/modules/contrib/java.if | 7 +++
policy/modules/contrib/java.te | 9 ++++
policy/modules/contrib/mozilla.te | 32 +++++++++++--
policy/modules/kernel/files.if | 2 -
7 files changed, 132 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/chromium.if b/policy/modules/contrib/chromium.if
index e06004d..5e158e7 100644
--- a/policy/modules/contrib/chromium.if
+++ b/policy/modules/contrib/chromium.if
@@ -53,6 +53,35 @@ interface(`chromium_rw_tmp_pipes',`
rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
')
+##############################################
+## <summary>
+## Automatically use the specified type for resources created in chromium's
+## temporary locations
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that creates the resource(s)
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Type of the resource created
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the resource being created
+## </summary>
+## </param>
+#
+interface(`chromium_tmp_filetrans',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
+ filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
+')
#######################################
## <summary>
## Execute a domain transition to the chromium domain (chromium_t)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index bb6403c..22a78a0 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -5,6 +5,19 @@ policy_module(chromium-browser, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow the use of java plugins
+## </p>
+## <p>
+## Some of these plugins require the use of named pipes (fifo files) that are
+## created within the temporary directory of the first browser that instantiated
+## the plugin. Hence, if other browsers need access to java plugins, they will
+## get search rights in chromium's tmp locations
+## </p>
+## </desc>
+gen_tunable(chromium_use_java, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -69,6 +82,8 @@ xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
dyntrans_pattern(chromium_t, chromium_renderer_t)
kernel_read_kernel_sysctls(chromium_t)
+# Memory optimizations & optimizations based on OS/version
+kernel_read_system_state(chromium_t)
corecmd_exec_bin(chromium_t)
corecmd_exec_shell(chromium_t)
@@ -79,7 +94,8 @@ corenet_tcp_connect_http_port(chromium_t)
dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
-#dev_read_sysfs(chromium_t) # only notice a search...
+# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
+dev_read_sysfs(chromium_t)
dev_read_urand(chromium_t)
domain_dontaudit_search_all_domains_state(chromium_t)
@@ -87,7 +103,6 @@ domain_dontaudit_search_all_domains_state(chromium_t)
files_list_home(chromium_t)
files_read_usr_files(chromium_t)
files_read_etc_files(chromium_t)
-#files_read_etc_runtime_files(chromium_t)
fs_dontaudit_getattr_xattr_fs(chromium_t)
@@ -97,19 +112,14 @@ miscfiles_read_localization(chromium_t)
#seutil_libselinux_linked(chromium_t)
-#sysnet_dns_name_resolve(chromium_t)
+sysnet_dns_name_resolve(chromium_t)
userdom_manage_user_home_content_dirs(chromium_t)
userdom_manage_user_home_content_files(chromium_t)
-# Debugging. Also on user_tty_device_t if X is started through "startx" for
-# instance
+# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
-xdg_manage_generic_cache_home_content(chromium_t)
-#xdg_manage_generic_config_home_content(chromium_t)
-xdg_read_generic_config_home_files(chromium_t)
-#xdg_manage_generic_data_home_content(chromium_t)
-
+xdg_read_generic_data_home_files(chromium_t)
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
optional_policy(`
@@ -131,7 +141,12 @@ optional_policy(`
')
optional_policy(`
- java_noatsecure_domtrans(chromium_t)
+ # Java (iced-tea) plugin .so creates /tmp/icedteaplugin-<name> directory
+ # and fifo files within. These are then used by the renderer and a
+ # freshly forked java process to communicate between each other.
+ tunable_policy(`chromium_use_java',`
+ java_noatsecure_domtrans(chromium_t)
+ ')
')
optional_policy(`
@@ -158,16 +173,18 @@ allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
dontaudit chromium_renderer_t chromium_t:dir search; # /proc/... access
dontaudit chromium_renderer_t self:process getsched;
+read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
+
+rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
+
kernel_dontaudit_read_system_state(chromium_renderer_t)
kernel_dontaudit_search_sysctl(chromium_renderer_t)
-# Currently needed due to java plugins TODO true? think it required fifo
-#kernel_read_kernel_sysctls(chromium_renderer_t)
dev_read_urand(chromium_renderer_t)
files_list_tmp(chromium_renderer_t)
files_read_etc_files(chromium_renderer_t)
-files_read_usr_files(chromium_renderer_t)
+files_search_usr(chromium_renderer_t)
files_search_var(chromium_renderer_t)
#files_dontaudit_read_all_symlinks(chromium_renderer_t)
@@ -184,7 +201,3 @@ userdom_use_user_terminals(chromium_renderer_t)
xdg_read_generic_config_home_files(chromium_renderer_t)
xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
-
-optional_policy(`
- alsa_read_rw_config(chromium_renderer_t)
-')
diff --git a/policy/modules/contrib/chromium/chromium_tmp_filetrans.part b/policy/modules/contrib/chromium/chromium_tmp_filetrans.part
new file mode 100644
index 0000000..88081cf
--- /dev/null
+++ b/policy/modules/contrib/chromium/chromium_tmp_filetrans.part
@@ -0,0 +1,29 @@
+##############################################
+## <summary>
+## Automatically use the specified type for resources created in chromium's
+## temporary locations
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that creates the resource(s)
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Type of the resource created
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the resource being created
+## </summary>
+## </param>
+#
+interface(`chromium_tmp_filetrans',`
+ gen_require(`
+ type chromium_tmp_t;
+ ')
+
+ search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
+ filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
+')
diff --git a/policy/modules/contrib/java.if b/policy/modules/contrib/java.if
index b338aec..086215d 100644
--- a/policy/modules/contrib/java.if
+++ b/policy/modules/contrib/java.if
@@ -18,6 +18,7 @@
interface(`java_role',`
gen_require(`
type java_t, java_exec_t;
+ type java_home_t;
')
role $1 types java_t;
@@ -31,6 +32,9 @@ interface(`java_role',`
allow java_t $2:unix_stream_socket connectto;
allow java_t $2:unix_stream_socket { read write };
allow java_t $2:tcp_socket { read write };
+
+ manage_files_pattern($2, java_home_t, java_home_t)
+ manage_dirs_pattern($2, java_home_t, java_home_t)
')
#######################################
@@ -111,6 +115,9 @@ template(`java_domtrans',`
')
domtrans_pattern($1, java_exec_t, java_t)
+
+ # /usr/bin/java is a symlink
+ files_read_usr_symlinks($1)
')
########################################
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
index 50b7605..3068789 100644
--- a/policy/modules/contrib/java.te
+++ b/policy/modules/contrib/java.te
@@ -19,6 +19,9 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role system_r types java_t;
+type java_home_t;
+userdom_user_home_content(java_home_t)
+
type java_tmp_t;
userdom_user_tmp_file(java_tmp_t)
typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
@@ -39,10 +42,16 @@ init_system_domain(unconfined_java_t, java_exec_t)
allow java_t self:process { signal_perms getsched setsched execmem };
allow java_t self:fifo_file rw_fifo_file_perms;
+# For java browser plugin accessing internet resources?
+allow java_t self:netlink_route_socket create_netlink_socket_perms;
allow java_t self:sem create_sem_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;
+manage_dirs_pattern(java_t, java_home_t, java_home_t)
+manage_files_pattern(java_t, java_home_t, java_home_t)
+userdom_user_home_dir_filetrans(java_t, java_home_t, dir, ".icedtea")
+
manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
files_tmp_filetrans(java_t, java_tmp_t, { file dir })
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index b6fedc8..29fec77 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -10,7 +10,20 @@ policy_module(mozilla, 2.5.0)
## Allow confined web browsers to read home directory content
## </p>
## </desc>
-gen_tunable(mozilla_read_content, false)
+gen_tunable(mozilla_read_user_content, false)
+
+## <desc>
+## <p>
+## Allow mozilla to use java plugins
+## </p>
+## <p>
+## Some plugins use named pipes inside temporary directories created
+## by the browser to communicate with the java process. If other browsers
+## need to use java plugins as well, they will get search privileges within
+## the temporary directories of mozilla
+## </p>
+## </desc>
+gen_tunable(mozilla_use_java, false)
attribute_role mozilla_roles;
@@ -198,7 +211,7 @@ tunable_policy(`use_samba_home_dirs',`
')
# Uploads, local html
-tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+tunable_policy(`mozilla_read_user_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(mozilla_t)
files_list_home(mozilla_t)
fs_read_nfs_files(mozilla_t)
@@ -211,7 +224,7 @@ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
fs_dontaudit_list_nfs(mozilla_t)
')
-tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+tunable_policy(`mozilla_read_user_content && use_samba_home_dirs',`
fs_list_auto_mountpoints(mozilla_t)
files_list_home(mozilla_t)
fs_read_cifs_files(mozilla_t)
@@ -223,7 +236,7 @@ tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
fs_dontaudit_list_cifs(mozilla_t)
')
-tunable_policy(`mozilla_read_content',`
+tunable_policy(`mozilla_read_user_content',`
userdom_list_user_tmp(mozilla_t)
userdom_read_user_tmp_files(mozilla_t)
userdom_read_user_tmp_symlinks(mozilla_t)
@@ -275,7 +288,16 @@ optional_policy(`
')
optional_policy(`
- java_noatsecure_domtrans(mozilla_t)
+ tunable_policy(`mozilla_use_java',`
+ java_noatsecure_domtrans(mozilla_t)
+ ')
+
+ # Cannot handle optional_policy within tunable_policy
+ optional_policy(`
+ tunable_policy(`mozilla_use_java',`
+ chromium_tmp_filetrans(mozilla_t, mozilla_tmp_t, fifo_file)
+ ')
+ ')
')
optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b35f15d..2924d8c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6049,8 +6049,6 @@ interface(`files_pid_filetrans_lock_dir',`
type var_t, var_run_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
files_pid_filetrans($1, var_lock_t, dir, $2)
')
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-07-25 9:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-23 20:27 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/contrib/chromium/, Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-07-25 9:51 Sven Vermeulen
2012-07-23 20:27 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox