---
consolekit.te | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/consolekit.te b/consolekit.te
index 050c5c5..1c540c9 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
# Local policy
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
@@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
+fs_mount_tmpfs(consolekit_t)
+fs_unmount_tmpfs(consolekit_t)
+fs_relabelfrom_tmpfs(consolekit_t)
mcs_ptrace_all(consolekit_t)
+seutil_libselinux_linked(consolekit_t)
+seutil_read_file_contexts(consolekit_t)
+
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
@@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
userdom_read_user_tmp_files(consolekit_t)
+userdom_manage_user_runtime_root_dirs(consolekit_t)
+userdom_manage_user_runtime_dirs(consolekit_t)
+userdom_mounton_user_runtime_dirs(consolekit_t)
+userdom_relabelto_user_runtime_dirs(consolekit_t)
+userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
+userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
--
2.7.3
---
pulseaudio.fc | 1 +
pulseaudio.te | 7 ++++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 6864479..514a9e7 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -7,3 +7,4 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0)
diff --git a/pulseaudio.te b/pulseaudio.te
index 169d0bc..a7aff4c 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
@@ -203,8 +204,11 @@ optional_policy(`
#
allow pulseaudio_client self:unix_dgram_socket sendto;
+allow pulseaudio_client self:process signull;
-allow pulseaudio_client pulseaudio_client:process signull;
+allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms;
+allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
+allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
@@ -228,6 +232,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki
pulseaudio_signull(pulseaudio_client)
userdom_read_user_tmpfs_files(pulseaudio_client)
+userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`use_nfs_home_dirs',`
--
2.7.3
---
ftp.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ftp.te b/ftp.te
index 774bc9e..ed82117 100644
--- a/ftp.te
+++ b/ftp.te
@@ -318,9 +318,11 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(ftpd_t, { dir file })
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -457,9 +459,11 @@ tunable_policy(`sftpd_enable_homedirs',`
userdom_manage_user_tmp_dirs(sftpd_t)
userdom_manage_user_tmp_files(sftpd_t)
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
',`
userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
+ userdom_user_runtime_filetrans_user_tmp(sftpd_t, { dir file })
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
--
2.7.3
---
gnome.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/gnome.te b/gnome.te
index c4746b6..11d5fad 100644
--- a/gnome.te
+++ b/gnome.te
@@ -89,6 +89,7 @@ userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
userdom_manage_user_tmp_dirs(gconfd_t)
userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
optional_policy(`
dbus_all_session_domain(gconfd_t, gconfd_exec_t)
--
2.7.3
---
mplayer.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..3ce0487 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -201,6 +201,7 @@ userdom_use_user_terminals(mplayer_t)
userdom_manage_user_tmp_dirs(mplayer_t)
userdom_manage_user_tmp_files(mplayer_t)
userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+userdom_user_runtime_filetrans_user_tmp(mplayer_t, { dir file })
userdom_manage_user_home_content_dirs(mplayer_t)
userdom_manage_user_home_content_files(mplayer_t)
--
2.7.3
---
userhelper.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/userhelper.te b/userhelper.te
index 8dadb4b..661f841 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -68,6 +68,7 @@ userdom_use_user_terminals(consolehelper_type)
userdom_manage_user_tmp_dirs(consolehelper_type)
userdom_manage_user_tmp_files(consolehelper_type)
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
+userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(consolehelper_type)
--
2.7.3
---
wm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/wm.te b/wm.te
index a3861e9..a477a16 100644
--- a/wm.te
+++ b/wm.te
@@ -40,6 +40,7 @@ miscfiles_read_localization(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
--
2.7.3
On 6/1/2016 12:12 PM, Jason Zaman wrote:
> ---
> consolekit.te | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
This whole set is merged.
> diff --git a/consolekit.te b/consolekit.te
> index 050c5c5..1c540c9 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -24,8 +24,8 @@ init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit")
> # Local policy
> #
>
> -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
> -allow consolekit_t self:process { getsched signal };
> +allow consolekit_t self:capability { chown fowner setuid setgid sys_admin sys_tty_config dac_override sys_nice sys_ptrace };
> +allow consolekit_t self:process { getsched signal setfscreate };
> allow consolekit_t self:fifo_file rw_fifo_file_perms;
> allow consolekit_t self:unix_stream_socket { accept listen };
>
> @@ -61,9 +61,15 @@ files_read_var_lib_files(consolekit_t)
> files_search_all_mountpoints(consolekit_t)
>
> fs_list_inotifyfs(consolekit_t)
> +fs_mount_tmpfs(consolekit_t)
> +fs_unmount_tmpfs(consolekit_t)
> +fs_relabelfrom_tmpfs(consolekit_t)
>
> mcs_ptrace_all(consolekit_t)
>
> +seutil_libselinux_linked(consolekit_t)
> +seutil_read_file_contexts(consolekit_t)
> +
> term_use_all_terms(consolekit_t)
>
> auth_use_nsswitch(consolekit_t)
> @@ -79,6 +85,12 @@ miscfiles_read_localization(consolekit_t)
>
> userdom_dontaudit_read_user_home_content_files(consolekit_t)
> userdom_read_user_tmp_files(consolekit_t)
> +userdom_manage_user_runtime_root_dirs(consolekit_t)
> +userdom_manage_user_runtime_dirs(consolekit_t)
> +userdom_mounton_user_runtime_dirs(consolekit_t)
> +userdom_relabelto_user_runtime_dirs(consolekit_t)
> +userdom_pid_filetrans_user_runtime_root(consolekit_t, dir, "user")
> +userdom_user_runtime_root_filetrans_user_runtime(consolekit_t, dir)
>
> tunable_policy(`use_nfs_home_dirs',`
> fs_read_nfs_files(consolekit_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com