From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 14 Apr 2017 01:25:25 +0200
Subject: [refpolicy] [PATCH 6/10] evolution: add some critical permissions
Message-ID: <1492125925.14193.44.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Update the evolution module with permissions strictly needed to
run new versions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/evolution.te |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- refpolicy-git-13042017-2208/policy/modules/contrib/evolution.te	2017-04-14 00:47:44.378717800 +0200
+++ refpolicy-git-13042017-2208-new/policy/modules/contrib/evolution.te	2017-04-14 00:49:07.168717461 +0200
@@ -111,7 +111,7 @@ userdom_user_tmpfs_file(evolution_webcal
 #
 
 allow evolution_t self:capability { setgid setuid sys_nice };
-allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:process { execmem getsched setsched signal };
 allow evolution_t self:fifo_file rw_file_perms;
 
 allow evolution_t evolution_home_t:dir manage_dir_perms;
@@ -185,7 +185,9 @@ domain_dontaudit_read_all_domains_state(
 files_read_usr_files(evolution_t)
 
 fs_dontaudit_getattr_xattr_fs(evolution_t)
+fs_getattr_tmpfs(evolution_t)
 fs_search_auto_mountpoints(evolution_t)
+fs_search_cgroup_dirs(evolution_t)
 
 auth_use_nsswitch(evolution_t)