[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     654fd93a51b7dd39e7ccf167f260515964c5eb62
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:11 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=654fd93a

apps: rw mesa_shader_cache

 policy/modules/apps/games.te   | 1 +
 policy/modules/apps/mplayer.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 0cdebe62..7389bd74 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -194,4 +194,5 @@ optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
+	xserver_rw_mesa_shader_cache(games_t)
 ')

diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
index 91b9569d..33eef8ed 100644
--- a/policy/modules/apps/mplayer.te
+++ b/policy/modules/apps/mplayer.te
@@ -216,6 +216,7 @@ xdg_read_music(mplayer_t)
 xdg_read_videos(mplayer_t)
 
 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+xserver_rw_mesa_shader_cache(mplayer_t)
 
 ifndef(`enable_mls',`
 	fs_list_dos(mplayer_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     c3e2c66e2e2789edab5f851bb70428c590e9fbd9
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 10 15:03:15 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:41:35 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3e2c66e

mozilla: xdg updates

 policy/modules/apps/mozilla.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index e57821da..1ae38bbf 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -206,6 +206,7 @@ userdom_use_user_ptys(mozilla_t)
 
 userdom_manage_user_tmp_dirs(mozilla_t)
 userdom_manage_user_tmp_files(mozilla_t)
+userdom_map_user_tmp_files(mozilla_t)
 
 userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
 userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -219,6 +220,7 @@ xdg_read_config_files(mozilla_t)
 xdg_read_data_files(mozilla_t)
 xdg_manage_downloads(mozilla_t)
 
+xserver_rw_mesa_shader_cache(mozilla_t)
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
@@ -519,6 +521,7 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
 
 userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 userdom_manage_user_tmp_files(mozilla_plugin_t)
+userdom_map_user_tmp_files(mozilla_plugin_t)
 
 userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     2727cf5aaf4f714dcb9d2dfa83a7378b87ed222b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 23 23:44:45 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2727cf5a

chromium: Move line.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/apps/chromium.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index dbf3a620..59c75491 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -253,7 +253,7 @@ ifdef(`use_alsa',`
 #
 
 allow chromium_renderer_t self:process execmem;
-
+dontaudit chromium_renderer_t self:process getsched;
 allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
 allow chromium_renderer_t self:shm create_shm_perms;
 allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
@@ -264,7 +264,6 @@ allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
 allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
 
 dontaudit chromium_renderer_t chromium_t:dir search;	# /proc/... access
-dontaudit chromium_renderer_t self:process getsched;
 
 read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     f5a0a7c4574aaa7179d9f693db9d8e07b1afd7c1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jan 12 08:03:44 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5a0a7c4

Add chromium policy upstreamed from Gentoo

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/apps/chromium.fc |  31 ++++
 policy/modules/apps/chromium.if | 139 ++++++++++++++++
 policy/modules/apps/chromium.te | 342 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 512 insertions(+)

diff --git a/policy/modules/apps/chromium.fc b/policy/modules/apps/chromium.fc
new file mode 100644
index 00000000..534235dc
--- /dev/null
+++ b/policy/modules/apps/chromium.fc
@@ -0,0 +1,31 @@
+/opt/google/chrome/chrome				--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/chrome_sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome/google-chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome/libudev.so.0					gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-beta/chrome				--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/chrome_sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/chrome-sandbox			--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-beta/google-chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-beta/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-beta/libudev.so.0				gen_context(system_u:object_r:lib_t,s0)
+
+/opt/google/chrome-unstable/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/chrome-sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/opt/google/chrome-unstable/google-chrome		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/opt/google/chrome-unstable/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+/opt/google/chrome-unstable/libudev.so.0			gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/chromium-browser/chrome			--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/chrome_sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chrome-sandbox		--	gen_context(system_u:object_r:chromium_sandbox_exec_t,s0)
+/usr/lib/chromium-browser/chromium-launcher\.sh		--	gen_context(system_u:object_r:chromium_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap		--	gen_context(system_u:object_r:chromium_naclhelper_exec_t,s0)
+
+HOME_DIR/\.cache/chromium(/.*)?					gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.cache/google-chrome(/.*)?				gen_context(system_u:object_r:chromium_xdg_cache_t,s0)
+HOME_DIR/\.config/chromium(/.*)?				gen_context(system_u:object_r:chromium_xdg_config_t,s0)
+HOME_DIR/\.config/google-chrome(/.*)?				gen_context(system_u:object_r:chromium_xdg_config_t,s0)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
new file mode 100644
index 00000000..26eb0259
--- /dev/null
+++ b/policy/modules/apps/chromium.if
@@ -0,0 +1,139 @@
+## <summary>
+##	Chromium browser
+## </summary>
+
+#######################################
+## <summary>
+## 	Role access for chromium
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+## 	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`chromium_role',`
+	gen_require(`
+		type chromium_t;
+		type chromium_renderer_t;
+		type chromium_sandbox_t;
+		type chromium_naclhelper_t;
+		type chromium_exec_t;
+	')
+
+	role $1 types chromium_t;
+	role $1 types chromium_renderer_t;
+	role $1 types chromium_sandbox_t;
+	role $1 types chromium_naclhelper_t;
+
+	# Transition from the user domain to the derived domain
+	chromium_domtrans($2)
+
+	# Allow ps to show chromium processes and allow the user to signal it
+	ps_process_pattern($2, chromium_t)
+	ps_process_pattern($2, chromium_renderer_t)
+
+	allow $2 chromium_t:process signal_perms;
+	allow $2 chromium_renderer_t:process signal_perms;
+	allow $2 chromium_naclhelper_t:process signal_perms;
+
+	allow chromium_sandbox_t $2:fd use;
+	allow chromium_naclhelper_t $2:fd use;
+')
+
+#######################################
+## <summary>
+##	Read-write access to Chromiums' temporary fifo files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_rw_tmp_pipes',`
+	gen_require(`
+		type chromium_tmp_t;
+	')
+
+	rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t)
+')
+
+##############################################
+## <summary>
+##	Automatically use the specified type for resources created in chromium's
+##	temporary locations
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that creates the resource(s)
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Type of the resource created
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the resource being created
+##	</summary>
+## </param>
+#
+interface(`chromium_tmp_filetrans',`
+	gen_require(`
+		type chromium_tmp_t;
+	')
+
+	search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t)
+	filetrans_pattern($1, chromium_tmp_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+## 	Execute a domain transition to the chromium domain (chromium_t)
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_domtrans',`
+	gen_require(`
+		type chromium_t;
+		type chromium_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, chromium_exec_t, chromium_t)
+')
+
+#######################################
+## <summary>
+## 	Execute chromium in the chromium domain and allow the specified role to access the chromium domain
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`chromium_run',`
+	gen_require(`
+		type chromium_t;
+	')
+
+	chromium_domtrans($1)
+	role $2 types chromium_t;
+')

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
new file mode 100644
index 00000000..5219cb87
--- /dev/null
+++ b/policy/modules/apps/chromium.te
@@ -0,0 +1,342 @@
+policy_module(chromium, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow chromium to read system information
+## </p>
+## <p>
+## Although not needed for regular browsing, this will allow chromium to update
+## its own memory consumption based on system state, support additional
+## debugging, detect specific devices, etc.
+## </p>
+## </desc>
+gen_tunable(chromium_read_system_info, false)
+
+## <desc>
+## <p>
+## Allow chromium to bind to tcp ports
+## </p>
+## <p>
+## Although not needed for regular browsing, some chrome extensions need to
+## bind to tcp ports and accept connections.
+## </p>
+## </desc>
+gen_tunable(chromium_bind_tcp_unreserved_ports, false)
+
+## <desc>
+## <p>
+## Allow chromium to read/write USB devices
+## </p>
+## <p>
+## Although not needed for regular browsing, used for debugging over usb
+## or using FIDO U2F tokens.
+## </p>
+## </desc>
+gen_tunable(chromium_rw_usb_dev, false)
+
+type chromium_t;
+domain_dyntrans_type(chromium_t)
+
+type chromium_exec_t;
+application_domain(chromium_t, chromium_exec_t)
+
+type chromium_naclhelper_t;
+type chromium_naclhelper_exec_t;
+application_domain(chromium_naclhelper_t, chromium_naclhelper_exec_t)
+
+type chromium_sandbox_t;
+type chromium_sandbox_exec_t;
+application_domain(chromium_sandbox_t, chromium_sandbox_exec_t)
+
+type chromium_renderer_t;
+domain_base_type(chromium_renderer_t)
+
+type chromium_tmp_t;
+userdom_user_tmp_file(chromium_tmp_t)
+
+type chromium_tmpfs_t;
+userdom_user_tmpfs_file(chromium_tmpfs_t)
+optional_policy(`
+	pulseaudio_tmpfs_content(chromium_tmpfs_t)
+')
+
+type chromium_xdg_config_t;
+xdg_config_content(chromium_xdg_config_t)
+
+type chromium_xdg_cache_t;
+xdg_cache_content(chromium_xdg_cache_t)
+
+
+
+########################################
+#
+# chromium local policy
+#
+
+# execmem for load in plugins
+allow chromium_t self:process { execmem getsched getcap setcap setrlimit setsched sigkill signal };
+allow chromium_t self:fifo_file rw_fifo_file_perms;
+allow chromium_t self:sem create_sem_perms;
+allow chromium_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+# cap_userns sys_admin for the sandbox
+allow chromium_t self:cap_userns { sys_admin sys_chroot sys_ptrace };
+
+allow chromium_t chromium_exec_t:file execute_no_trans;
+
+allow chromium_t chromium_renderer_t:dir list_dir_perms;
+allow chromium_t chromium_renderer_t:file rw_file_perms;
+allow chromium_t chromium_renderer_t:fd use;
+allow chromium_t chromium_renderer_t:process signal_perms;
+allow chromium_t chromium_renderer_t:shm rw_shm_perms;
+allow chromium_t chromium_renderer_t:unix_dgram_socket { read write };
+allow chromium_t chromium_renderer_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_sandbox_t:unix_dgram_socket { read write };
+allow chromium_t chromium_sandbox_t:unix_stream_socket { read write };
+
+allow chromium_t chromium_naclhelper_t:process { share };
+
+# tmp has a wide class access (used for plugins)
+manage_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+allow chromium_t chromium_tmp_t:file map;
+manage_dirs_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_lnk_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_sock_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+manage_fifo_files_pattern(chromium_t, chromium_tmp_t, chromium_tmp_t)
+files_tmp_filetrans(chromium_t, chromium_tmp_t, { file dir sock_file })
+
+manage_files_pattern(chromium_t, chromium_tmpfs_t, chromium_tmpfs_t)
+allow chromium_t chromium_tmpfs_t:file map;
+fs_tmpfs_filetrans(chromium_t, chromium_tmpfs_t, file)
+fs_tmpfs_filetrans(chromium_renderer_t, chromium_tmpfs_t, file)
+
+manage_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+allow chromium_t chromium_xdg_config_t:file map;
+manage_lnk_files_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+manage_dirs_pattern(chromium_t, chromium_xdg_config_t, chromium_xdg_config_t)
+xdg_config_filetrans(chromium_t, chromium_xdg_config_t, dir, "chromium")
+
+manage_files_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+allow chromium_t chromium_xdg_cache_t:file map;
+manage_dirs_pattern(chromium_t, chromium_xdg_cache_t, chromium_xdg_cache_t)
+xdg_cache_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
+
+dyntrans_pattern(chromium_t, chromium_renderer_t)
+domtrans_pattern(chromium_t, chromium_sandbox_exec_t, chromium_sandbox_t)
+domtrans_pattern(chromium_t, chromium_naclhelper_exec_t, chromium_naclhelper_t)
+
+kernel_list_proc(chromium_t)
+kernel_read_net_sysctls(chromium_t)
+
+corecmd_exec_bin(chromium_t)
+# Look for /etc/gentoo-release through a shell invocation running find
+corecmd_exec_shell(chromium_t)
+
+corenet_tcp_connect_all_unreserved_ports(chromium_t)
+corenet_tcp_connect_ftp_port(chromium_t)
+corenet_tcp_connect_http_port(chromium_t)
+corenet_udp_bind_generic_node(chromium_t)
+corenet_udp_bind_all_unreserved_ports(chromium_t)
+
+dev_read_sound(chromium_t)
+dev_write_sound(chromium_t)
+dev_read_urand(chromium_t)
+dev_read_rand(chromium_t)
+dev_rw_xserver_misc(chromium_t)
+dev_map_xserver_misc(chromium_t)
+
+domain_dontaudit_search_all_domains_state(chromium_t)
+
+files_list_home(chromium_t)
+files_search_home(chromium_t)
+files_read_usr_files(chromium_t)
+files_map_usr_files(chromium_t)
+files_read_etc_files(chromium_t)
+# During find for /etc/whatever-release we get lots of output otherwise
+files_dontaudit_getattr_all_dirs(chromium_t)
+
+fs_dontaudit_getattr_xattr_fs(chromium_t)
+
+miscfiles_read_all_certs(chromium_t)
+miscfiles_read_localization(chromium_t)
+
+sysnet_dns_name_resolve(chromium_t)
+
+userdom_user_content_access_template(chromium, chromium_t)
+userdom_dontaudit_list_user_home_dirs(chromium_t)
+# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
+userdom_use_user_terminals(chromium_t)
+userdom_manage_user_certs(chromium_t)
+userdom_user_home_dir_filetrans_user_cert(chromium_t, dir, ".pki")
+
+xdg_create_cache_dirs(chromium_t)
+xdg_create_config_dirs(chromium_t)
+xdg_create_data_dirs(chromium_t)
+xdg_manage_downloads(chromium_t)
+xdg_read_config_files(chromium_t)
+xdg_read_data_files(chromium_t)
+
+xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_bind_tcp_unreserved_ports',`
+	corenet_tcp_bind_generic_node(chromium_t)
+	corenet_tcp_bind_all_unreserved_ports(chromium_t)
+	allow chromium_t self:tcp_socket { listen accept };
+')
+
+tunable_policy(`chromium_rw_usb_dev',`
+	dev_rw_generic_usb_dev(chromium_t)
+	udev_read_db(chromium_t)
+')
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_t)
+	# Memory optimizations & optimizations based on OS/version
+	kernel_read_system_state(chromium_t)
+
+	# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
+	dev_read_sysfs(chromium_t)
+
+	storage_getattr_fixed_disk_dev(chromium_t)
+
+	files_read_etc_runtime_files(chromium_t)
+
+	dev_dontaudit_getattr_all_chr_files(chromium_t)
+	init_dontaudit_getattr_initctl(chromium_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_t)
+	kernel_dontaudit_read_system_state(chromium_t)
+
+	dev_dontaudit_read_sysfs(chromium_t)
+
+	files_dontaudit_read_etc_runtime_files(chromium_t)
+')
+
+optional_policy(`
+	cups_read_config(chromium_t)
+	cups_stream_connect(chromium_t)
+')
+
+optional_policy(`
+	dbus_all_session_bus_client(chromium_t)
+	dbus_system_bus_client(chromium_t)
+
+	optional_policy(`
+		unconfined_dbus_chat(chromium_t)
+	')
+	optional_policy(`
+		gnome_dbus_chat_all_gkeyringd(chromium_t)
+	')
+	optional_policy(`
+		devicekit_dbus_chat_power(chromium_t)
+	')
+')
+
+ifdef(`use_alsa',`
+	optional_policy(`
+		alsa_domain(chromium_t, chromium_tmpfs_t)
+	')
+
+	optional_policy(`
+		pulseaudio_domtrans(chromium_t)
+	')
+')
+
+########################################
+#
+# chromium_renderer local policy
+#
+
+allow chromium_renderer_t self:process execmem;
+
+allow chromium_renderer_t self:fifo_file rw_fifo_file_perms;
+allow chromium_renderer_t self:shm create_shm_perms;
+allow chromium_renderer_t self:unix_dgram_socket { create read sendto };
+allow chromium_renderer_t self:unix_stream_socket { create getattr read write };
+
+allow chromium_renderer_t chromium_t:fd use;
+allow chromium_renderer_t chromium_t:unix_stream_socket rw_stream_socket_perms;
+allow chromium_renderer_t chromium_tmpfs_t:file rw_file_perms;
+
+dontaudit chromium_renderer_t chromium_t:dir search;	# /proc/... access
+dontaudit chromium_renderer_t self:process getsched;
+
+read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_config_t)
+
+rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
+
+dev_read_urand(chromium_renderer_t)
+
+files_dontaudit_list_tmp(chromium_renderer_t)
+files_dontaudit_read_etc_files(chromium_renderer_t)
+files_search_var(chromium_renderer_t)
+
+init_sigchld(chromium_renderer_t)
+
+miscfiles_read_localization(chromium_renderer_t)
+
+userdom_dontaudit_use_all_users_fds(chromium_renderer_t)
+userdom_use_user_terminals(chromium_renderer_t)
+
+xdg_read_config_files(chromium_renderer_t)
+
+xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_renderer_t)
+	kernel_read_system_state(chromium_renderer_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_renderer_t)
+	kernel_dontaudit_read_system_state(chromium_renderer_t)
+')
+
+#########################################
+#
+# Chromium sandbox local policy
+#
+
+allow chromium_sandbox_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chromium_sandbox_t self:process { setrlimit };
+allow chromium_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+
+allow chromium_sandbox_t chromium_t:process { share };
+# /proc access
+allow chromium_sandbox_t chromium_t:dir list_dir_perms;
+allow chromium_sandbox_t chromium_t:lnk_file read_lnk_file_perms;
+allow chromium_sandbox_t chromium_t:file rw_file_perms;
+
+allow chromium_sandbox_t chromium_t:unix_stream_socket { read write };
+allow chromium_sandbox_t chromium_t:unix_dgram_socket { read write };
+
+kernel_list_proc(chromium_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chromium_sandbox_t)
+
+userdom_use_user_ptys(chromium_sandbox_t)
+
+chromium_domtrans(chromium_sandbox_t)
+
+##########################################
+#
+# Chromium nacl helper local policy
+#
+
+allow chromium_naclhelper_t chromium_t:unix_stream_socket { read write };
+
+domain_mmap_low_uncond(chromium_naclhelper_t)
+
+userdom_use_user_ptys(chromium_naclhelper_t)
+
+tunable_policy(`chromium_read_system_info',`
+	kernel_read_kernel_sysctls(chromium_naclhelper_t)
+	kernel_read_system_state(chromium_naclhelper_t)
+',`
+	kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
+	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
+')
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     46b8592baa68cac9ec8519827408c91521cf0bce
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 23 23:43:16 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46b8592b

chromium: Whitespace fixes.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/apps/chromium.if | 4 +---
 policy/modules/apps/chromium.te | 5 ++---
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/policy/modules/apps/chromium.if b/policy/modules/apps/chromium.if
index 26eb0259..2ded3279 100644
--- a/policy/modules/apps/chromium.if
+++ b/policy/modules/apps/chromium.if
@@ -1,6 +1,4 @@
-## <summary>
-##	Chromium browser
-## </summary>
+## <summary>Chromium browser</summary>
 
 #######################################
 ## <summary>

diff --git a/policy/modules/apps/chromium.te b/policy/modules/apps/chromium.te
index 5219cb87..dbf3a620 100644
--- a/policy/modules/apps/chromium.te
+++ b/policy/modules/apps/chromium.te
@@ -71,8 +71,6 @@ xdg_config_content(chromium_xdg_config_t)
 type chromium_xdg_cache_t;
 xdg_cache_content(chromium_xdg_cache_t)
 
-
-
 ########################################
 #
 # chromium local policy
@@ -229,9 +227,11 @@ optional_policy(`
 	optional_policy(`
 		unconfined_dbus_chat(chromium_t)
 	')
+
 	optional_policy(`
 		gnome_dbus_chat_all_gkeyringd(chromium_t)
 	')
+
 	optional_policy(`
 		devicekit_dbus_chat_power(chromium_t)
 	')
@@ -339,4 +339,3 @@ tunable_policy(`chromium_read_system_info',`
 	kernel_dontaudit_read_kernel_sysctl(chromium_naclhelper_t)
 	kernel_dontaudit_read_system_state(chromium_naclhelper_t)
 ')
-

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     51312761c615ffb7bef402a32c96a7d992f0d70e
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  8 15:07:32 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51312761

loadkeys: remove redundant ifdef

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/loadkeys.te | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 5c3b18d5..57274992 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -48,10 +48,8 @@ miscfiles_read_localization(loadkeys_t)
 userdom_use_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
 
-ifdef(`distro_debian',`
-	optional_policy(`
-		consolesetup_read_conf(loadkeys_t)
-	')
+optional_policy(`
+	consolesetup_read_conf(loadkeys_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     e27adab96f63c43ee299bf65dc9234ab898c9a95
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jan 29 14:56:29 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e27adab9

apps/screen.fc: Added fcontext for tmux xdg directory.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/screen.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
index 7196c598..e51e01d9 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.config/tmux(/.*)?	--	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screen(/.*)?		gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
 HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     f633f22afb5aff7f1173813fe7559851bc62b557
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jan 29 14:56:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f633f22a

apps/screen.te: Allow screen to search xdg directories.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/screen.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index f8546e84..58575bc9 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -111,6 +111,10 @@ tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(screen_domain)
 ')
 
+optional_policy(`
+	xdg_search_config_dirs(screen_domain)
+')
+
 ifdef(`distro_gentoo',`
 	######################################
 	#

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     bf51bea5131ee562ef22444e34aab06f69422cbc
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb  2 13:47:55 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf51bea5

screen: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/screen.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 58575bc9..bcfba653 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,4 +1,4 @@
-policy_module(screen, 2.11.0)
+policy_module(screen, 2.11.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     830377badedee4af85544b6f5c856c71031520e5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 22:46:07 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=830377ba

mono: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/mono.if | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
index f37db3e8..ef116c39 100644
--- a/policy/modules/apps/mono.if
+++ b/policy/modules/apps/mono.if
@@ -12,18 +12,23 @@
 ## </desc>
 ## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role.
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
 #
@@ -54,16 +59,16 @@ template(`mono_role_template',`
 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
 
 	allow $3 $1_mono_t:process { ptrace noatsecure signal_perms };
-	ps_process_pattern($2, $1_mono_t)
+	ps_process_pattern($3, $1_mono_t)
 
-	corecmd_bin_domtrans($1_mono_t, $3)
+	corecmd_bin_domtrans($1_mono_t, $2)
 
 	userdom_manage_user_tmpfs_files($1_mono_t)
 
 	optional_policy(`
 		fs_dontaudit_rw_tmpfs_files($1_mono_t)
 
-		xserver_role($1, $1_mono_t, $1_application_exec_domain, $1_r)
+		xserver_role($1, $1_mono_t, $3, $4)
 	')
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     1dea46140374ccd2b67ed5daf6563e5917df519c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 22:44:14 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614

wine: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/wine.if | 58 +++++++++++++++++++++++++++++----------------
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 25e09d6e..2050167d 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for wine.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`wine_role',`
+template(`wine_role',`
 	gen_require(`
 		attribute_role wine_roles;
 		type wine_exec_t, wine_t, wine_tmp_t;
@@ -24,18 +35,18 @@ interface(`wine_role',`
 
 	roleattribute $1 wine_roles;
 
-	domtrans_pattern($2, wine_exec_t, wine_t)
+	domtrans_pattern($3, wine_exec_t, wine_t)
 
-	allow wine_t $2:unix_stream_socket connectto;
-	allow wine_t $2:process signull;
+	allow wine_t $3:unix_stream_socket connectto;
+	allow wine_t $3:process signull;
 
-	ps_process_pattern($2, wine_t)
-	allow $2 wine_t:process { ptrace signal_perms };
+	ps_process_pattern($3, wine_t)
+	allow $3 wine_t:process { ptrace signal_perms };
 
-	allow $2 wine_t:fd use;
-	allow $2 wine_t:shm { associate getattr };
-	allow $2 wine_t:shm rw_shm_perms;
-	allow $2 wine_t:unix_stream_socket connectto;
+	allow $3 wine_t:fd use;
+	allow $3 wine_t:shm { associate getattr };
+	allow $3 wine_t:shm rw_shm_perms;
+	allow $3 wine_t:unix_stream_socket connectto;
 
 	allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
@@ -55,18 +66,23 @@ interface(`wine_role',`
 ## </desc>
 ## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="user_role">
+## <param name="user_domain">
 ##	<summary>
-##	The role associated with the user domain.
+##	User domain for the role.
 ##	</summary>
 ## </param>
-## <param name="user_domain">
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
 ##	<summary>
-##	The type of the user domain.
+##	Role allowed access
 ##	</summary>
 ## </param>
 #
@@ -86,7 +102,7 @@ template(`wine_role_template',`
 
 	domtrans_pattern($3, wine_exec_t, $1_wine_t)
 
-	corecmd_bin_domtrans($1_wine_t, $3)
+	corecmd_bin_domtrans($1_wine_t, $2)
 
 	userdom_manage_user_tmpfs_files($1_wine_t)
 
@@ -97,7 +113,7 @@ template(`wine_role_template',`
 	')
 
 	optional_policy(`
-		xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r)
+		xserver_role($1, $1_wine_t, $3, $4)
 	')
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Jason Zaman]

commit:     5f17e5ac1d12a5bb6d264a4e9e127fb3f28cd0e2
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 16 17:11:59 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f17e5ac

wine: fix roleattribute statement

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/wine.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
index 2050167d..37f10d03 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -33,7 +33,7 @@ template(`wine_role',`
 		type wine_home_t;
 	')
 
-	roleattribute $1 wine_roles;
+	roleattribute $4 wine_roles;
 
 	domtrans_pattern($3, wine_exec_t, wine_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Kenton Groombridge]

commit:     0ace931ace4b0f237c27301c052bd1d3571349d8
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Thu Jan  5 15:42:10 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:01 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ace931a

mandb: permit to read inherited cron files

Each night /etc/cron.daily/man-db generates some AVC:
allow mandb_t system_cronjob_tmp_t:file { read write };

Add the necessary rules for it.

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/apps/mandb.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/mandb.te b/policy/modules/apps/mandb.te
index f136a90ae..5dd7cf7a5 100644
--- a/policy/modules/apps/mandb.te
+++ b/policy/modules/apps/mandb.te
@@ -59,5 +59,6 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	cron_rw_inherited_system_job_tmp_files(mandb_t)
 	cron_system_entry(mandb_t, mandb_exec_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Kenton Groombridge]

commit:     9139acd456b4a49f7d8286023ac6abc09725ccb7
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Wed Sep 20 06:43:34 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9139acd4

loadkeys: do not audit attempts to get attributes for all directories

Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/apps/loadkeys.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index b9558dccc..56fb45114 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -35,6 +35,7 @@ files_read_usr_files(loadkeys_t)
 files_search_runtime(loadkeys_t)
 files_search_src(loadkeys_t)
 files_search_tmp(loadkeys_t)
+files_dontaudit_getattr_all_dirs(loadkeys_t)
 
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/

[Kenton Groombridge]

commit:     a4c6f2483b5025b63c5d42837f9eabd73d9866fe
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Fri Sep 29 20:30:14 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248

Let openoffice perform temporary file transitions and manage link files.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/apps/openoffice.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
index 37ac6720c..f8cccacd4 100644
--- a/policy/modules/apps/openoffice.te
+++ b/policy/modules/apps/openoffice.te
@@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice")
 
 manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
 manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
 manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
-files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file })
 
 can_exec(ooffice_t, ooffice_exec_t)