This is required to access gtk's icon cache. IIRC, past discussion on
the ML came to the conclusion that adding a new domain for this would be
overkill.
---
blueman.te | 1 +
evolution.te | 1 +
gpg.te | 1 +
mozilla.te | 1 +
openoffice.te | 1 +
thunderbird.te | 1 +
wireshark.te | 1 +
wm.te | 1 +
8 files changed, 8 insertions(+)
diff --git a/blueman.te b/blueman.te
index 3a5032e..c00e3cc 100644
--- a/blueman.te
+++ b/blueman.te
@@ -45,6 +45,7 @@ dev_rw_wireless(blueman_t)
domain_use_interactive_fds(blueman_t)
files_list_tmp(blueman_t)
+files_map_usr_files(blueman_t)
files_read_usr_files(blueman_t)
auth_use_nsswitch(blueman_t)
diff --git a/evolution.te b/evolution.te
index ed56f43..a9ffea3 100644
--- a/evolution.te
+++ b/evolution.te
@@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
+files_map_usr_files(evolution_t)
files_read_usr_files(evolution_t)
fs_dontaudit_getattr_xattr_fs(evolution_t)
diff --git a/gpg.te b/gpg.te
index d55eeaf..d860aeb 100644
--- a/gpg.te
+++ b/gpg.te
@@ -338,6 +338,7 @@ dev_read_rand(gpg_pinentry_t)
domain_use_interactive_fds(gpg_pinentry_t)
+files_map_usr_files(gpg_pinentry_t)
files_read_usr_files(gpg_pinentry_t)
fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
diff --git a/mozilla.te b/mozilla.te
index 79e0cd4..5a58ee9 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -170,6 +170,7 @@ dev_write_sound(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
+files_map_usr_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_var_files(mozilla_t)
files_read_var_lib_files(mozilla_t)
diff --git a/openoffice.te b/openoffice.te
index 3c42014..eb10349 100644
--- a/openoffice.te
+++ b/openoffice.te
@@ -80,6 +80,7 @@ files_getattr_all_dirs(ooffice_t)
files_getattr_all_files(ooffice_t)
files_getattr_all_symlinks(ooffice_t)
files_read_etc_files(ooffice_t)
+files_map_usr_files(ooffice_t)
files_read_usr_files(ooffice_t)
fs_getattr_xattr_fs(ooffice_t)
diff --git a/thunderbird.te b/thunderbird.te
index 865de1d..70ff0f0 100644
--- a/thunderbird.te
+++ b/thunderbird.te
@@ -86,6 +86,7 @@ dev_read_urand(thunderbird_t)
dev_dontaudit_search_sysfs(thunderbird_t)
files_list_tmp(thunderbird_t)
+files_map_usr_files(thunderbird_t)
files_read_usr_files(thunderbird_t)
files_read_etc_runtime_files(thunderbird_t)
files_read_var_files(thunderbird_t)
diff --git a/wireshark.te b/wireshark.te
index a398fd7..ca4289f 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -86,6 +86,7 @@ dev_read_rand(wireshark_t)
dev_read_sysfs(wireshark_t)
dev_read_urand(wireshark_t)
+files_map_usr_files(wireshark_t)
files_read_usr_files(wireshark_t)
fs_getattr_all_fs(wireshark_t)
diff --git a/wm.te b/wm.te
index b9c0498..e54f283 100644
--- a/wm.te
+++ b/wm.te
@@ -56,6 +56,7 @@ dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
files_read_etc_runtime_files(wm_domain)
+files_map_usr_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
--
2.15.0
On 11/13/2017 09:03 PM, Luis Ressel via refpolicy wrote:
> This is required to access gtk's icon cache. IIRC, past discussion on
> the ML came to the conclusion that adding a new domain for this would be
> overkill.
> ---
> blueman.te | 1 +
> evolution.te | 1 +
> gpg.te | 1 +
> mozilla.te | 1 +
> openoffice.te | 1 +
> thunderbird.te | 1 +
> wireshark.te | 1 +
> wm.te | 1 +
> 8 files changed, 8 insertions(+)
>
> diff --git a/blueman.te b/blueman.te
> index 3a5032e..c00e3cc 100644
> --- a/blueman.te
> +++ b/blueman.te
> @@ -45,6 +45,7 @@ dev_rw_wireless(blueman_t)
> domain_use_interactive_fds(blueman_t)
>
> files_list_tmp(blueman_t)
> +files_map_usr_files(blueman_t)
> files_read_usr_files(blueman_t)
>
> auth_use_nsswitch(blueman_t)
> diff --git a/evolution.te b/evolution.te
> index ed56f43..a9ffea3 100644
> --- a/evolution.te
> +++ b/evolution.te
> @@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
>
> domain_dontaudit_read_all_domains_state(evolution_t)
>
> +files_map_usr_files(evolution_t)
> files_read_usr_files(evolution_t)
>
> fs_dontaudit_getattr_xattr_fs(evolution_t)
> diff --git a/gpg.te b/gpg.te
> index d55eeaf..d860aeb 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -338,6 +338,7 @@ dev_read_rand(gpg_pinentry_t)
>
> domain_use_interactive_fds(gpg_pinentry_t)
>
> +files_map_usr_files(gpg_pinentry_t)
> files_read_usr_files(gpg_pinentry_t)
>
> fs_dontaudit_getattr_xattr_fs(gpg_pinentry_t)
> diff --git a/mozilla.te b/mozilla.te
> index 79e0cd4..5a58ee9 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -170,6 +170,7 @@ dev_write_sound(mozilla_t)
> domain_dontaudit_read_all_domains_state(mozilla_t)
>
> files_read_etc_runtime_files(mozilla_t)
> +files_map_usr_files(mozilla_t)
> files_read_usr_files(mozilla_t)
> files_read_var_files(mozilla_t)
> files_read_var_lib_files(mozilla_t)
> diff --git a/openoffice.te b/openoffice.te
> index 3c42014..eb10349 100644
> --- a/openoffice.te
> +++ b/openoffice.te
> @@ -80,6 +80,7 @@ files_getattr_all_dirs(ooffice_t)
> files_getattr_all_files(ooffice_t)
> files_getattr_all_symlinks(ooffice_t)
> files_read_etc_files(ooffice_t)
> +files_map_usr_files(ooffice_t)
> files_read_usr_files(ooffice_t)
>
> fs_getattr_xattr_fs(ooffice_t)
> diff --git a/thunderbird.te b/thunderbird.te
> index 865de1d..70ff0f0 100644
> --- a/thunderbird.te
> +++ b/thunderbird.te
> @@ -86,6 +86,7 @@ dev_read_urand(thunderbird_t)
> dev_dontaudit_search_sysfs(thunderbird_t)
>
> files_list_tmp(thunderbird_t)
> +files_map_usr_files(thunderbird_t)
> files_read_usr_files(thunderbird_t)
> files_read_etc_runtime_files(thunderbird_t)
> files_read_var_files(thunderbird_t)
> diff --git a/wireshark.te b/wireshark.te
> index a398fd7..ca4289f 100644
> --- a/wireshark.te
> +++ b/wireshark.te
> @@ -86,6 +86,7 @@ dev_read_rand(wireshark_t)
> dev_read_sysfs(wireshark_t)
> dev_read_urand(wireshark_t)
>
> +files_map_usr_files(wireshark_t)
> files_read_usr_files(wireshark_t)
>
> fs_getattr_all_fs(wireshark_t)
> diff --git a/wm.te b/wm.te
> index b9c0498..e54f283 100644
> --- a/wm.te
> +++ b/wm.te
> @@ -56,6 +56,7 @@ dev_rw_wireless(wm_domain)
> dev_write_sound(wm_domain)
>
> files_read_etc_runtime_files(wm_domain)
> +files_map_usr_files(wm_domain)
> files_read_usr_files(wm_domain)
>
> fs_getattr_all_fs(wm_domain)
Merged.
--
Chris PeBenito