1 |
commit: a26be753769eaa412a9809f3b7c26c7cba90408d |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Thu Nov 1 20:03:42 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Nov 1 20:03:42 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a26be753 |
7 |
|
8 |
Reshuffle to match upstream |
9 |
|
10 |
Reshuffle locations of certain interface calls to locations they shouldn't be |
11 |
according to upstream coding style, but are not enforced on upstream as well. |
12 |
Hence, we tend to follow upstream here to not have too many patches fail when we |
13 |
merge changes... |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/mozilla.te | 33 ++++++++++++++------------------- |
17 |
1 files changed, 14 insertions(+), 19 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
20 |
index 098225c..fca9e78 100644 |
21 |
--- a/policy/modules/contrib/mozilla.te |
22 |
+++ b/policy/modules/contrib/mozilla.te |
23 |
@@ -7,7 +7,8 @@ policy_module(mozilla, 2.7.1) |
24 |
|
25 |
## <desc> |
26 |
## <p> |
27 |
-## Determine whether mozilla can make its stack executable. |
28 |
+## Determine whether mozilla can |
29 |
+## make its stack executable. |
30 |
## </p> |
31 |
## </desc> |
32 |
gen_tunable(mozilla_execstack, false) |
33 |
@@ -134,9 +135,9 @@ kernel_read_net_sysctls(mozilla_t) |
34 |
kernel_read_network_state(mozilla_t) |
35 |
kernel_read_system_state(mozilla_t) |
36 |
|
37 |
-corecmd_exec_bin(mozilla_t) |
38 |
-corecmd_exec_shell(mozilla_t) |
39 |
corecmd_list_bin(mozilla_t) |
40 |
+corecmd_exec_shell(mozilla_t) |
41 |
+corecmd_exec_bin(mozilla_t) |
42 |
|
43 |
corenet_all_recvfrom_unlabeled(mozilla_t) |
44 |
corenet_all_recvfrom_netlabel(mozilla_t) |
45 |
@@ -179,25 +180,25 @@ corenet_tcp_connect_tor_port(mozilla_t) |
46 |
corenet_tcp_sendrecv_tor_port(mozilla_t) |
47 |
|
48 |
dev_getattr_sysfs_dirs(mozilla_t) |
49 |
-dev_read_rand(mozilla_t) |
50 |
dev_read_sound(mozilla_t) |
51 |
+dev_read_rand(mozilla_t) |
52 |
dev_read_urand(mozilla_t) |
53 |
dev_rw_dri(mozilla_t) |
54 |
dev_write_sound(mozilla_t) |
55 |
|
56 |
domain_dontaudit_read_all_domains_state(mozilla_t) |
57 |
|
58 |
-files_dontaudit_getattr_boot_dirs(mozilla_t) |
59 |
files_read_etc_runtime_files(mozilla_t) |
60 |
files_read_usr_files(mozilla_t) |
61 |
files_read_var_files(mozilla_t) |
62 |
files_read_var_lib_files(mozilla_t) |
63 |
files_read_var_symlinks(mozilla_t) |
64 |
+files_dontaudit_getattr_boot_dirs(mozilla_t) |
65 |
|
66 |
fs_getattr_all_fs(mozilla_t) |
67 |
+fs_search_auto_mountpoints(mozilla_t) |
68 |
fs_list_inotifyfs(mozilla_t) |
69 |
fs_rw_tmpfs_files(mozilla_t) |
70 |
-fs_search_auto_mountpoints(mozilla_t) |
71 |
|
72 |
term_dontaudit_getattr_pty_dirs(mozilla_t) |
73 |
|
74 |
@@ -272,8 +273,8 @@ tunable_policy(`mozilla_read_user_content',` |
75 |
') |
76 |
|
77 |
optional_policy(` |
78 |
- apache_read_user_content(mozilla_t) |
79 |
apache_read_user_scripts(mozilla_t) |
80 |
+ apache_read_user_content(mozilla_t) |
81 |
') |
82 |
|
83 |
optional_policy(` |
84 |
@@ -414,8 +415,8 @@ stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_ |
85 |
can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) |
86 |
|
87 |
kernel_read_all_sysctls(mozilla_plugin_t) |
88 |
-kernel_read_network_state(mozilla_plugin_t) |
89 |
kernel_read_system_state(mozilla_plugin_t) |
90 |
+kernel_read_network_state(mozilla_plugin_t) |
91 |
kernel_request_load_module(mozilla_plugin_t) |
92 |
kernel_dontaudit_getattr_core_if(mozilla_plugin_t) |
93 |
|
94 |
@@ -486,23 +487,23 @@ corenet_tcp_connect_vnc_port(mozilla_plugin_t) |
95 |
corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) |
96 |
|
97 |
dev_read_generic_usb_dev(mozilla_plugin_t) |
98 |
-dev_rw_dri(mozilla_plugin_t) |
99 |
dev_read_rand(mozilla_plugin_t) |
100 |
dev_read_sound(mozilla_plugin_t) |
101 |
dev_read_sysfs(mozilla_plugin_t) |
102 |
dev_read_urand(mozilla_plugin_t) |
103 |
dev_read_video_dev(mozilla_plugin_t) |
104 |
-dev_rw_xserver_misc(mozilla_plugin_t) |
105 |
dev_write_sound(mozilla_plugin_t) |
106 |
dev_write_video_dev(mozilla_plugin_t) |
107 |
+dev_rw_dri(mozilla_plugin_t) |
108 |
+dev_rw_xserver_misc(mozilla_plugin_t) |
109 |
|
110 |
dev_dontaudit_getattr_generic_files(mozilla_plugin_t) |
111 |
dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) |
112 |
dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) |
113 |
dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) |
114 |
|
115 |
-domain_dontaudit_read_all_domains_state(mozilla_plugin_t) |
116 |
domain_use_interactive_fds(mozilla_plugin_t) |
117 |
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t) |
118 |
|
119 |
files_list_mnt(mozilla_plugin_t) |
120 |
files_read_config_files(mozilla_plugin_t) |
121 |
@@ -511,8 +512,8 @@ files_read_usr_files(mozilla_plugin_t) |
122 |
fs_getattr_all_fs(mozilla_plugin_t) |
123 |
fs_search_auto_mountpoints(mozilla_plugin_t) |
124 |
|
125 |
-term_getattr_all_ptys(mozilla_plugin_t) |
126 |
term_getattr_all_ttys(mozilla_plugin_t) |
127 |
+term_getattr_all_ptys(mozilla_plugin_t) |
128 |
|
129 |
application_dontaudit_signull(mozilla_plugin_t) |
130 |
|
131 |
@@ -527,12 +528,6 @@ miscfiles_read_generic_certs(mozilla_plugin_t) |
132 |
miscfiles_read_localization(mozilla_plugin_t) |
133 |
|
134 |
userdom_dontaudit_use_user_terminals(mozilla_plugin_t) |
135 |
-#userdom_manage_user_tmp_dirs(mozilla_plugin_t) |
136 |
-#userdom_manage_user_tmp_sockets(mozilla_plugin_t) |
137 |
-#userdom_read_user_home_content_files(mozilla_plugin_t) |
138 |
-#userdom_read_user_home_content_symlinks(mozilla_plugin_t) |
139 |
-#userdom_read_user_tmp_files(mozilla_plugin_t) |
140 |
-#userdom_read_user_tmp_symlinks(mozilla_plugin_t) |
141 |
userdom_rw_user_tmpfs_files(mozilla_plugin_t) |
142 |
|
143 |
xserver_user_x_domain_template(mozilla_plugin, mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
144 |
@@ -558,9 +553,9 @@ tunable_policy(`use_samba_home_dirs',` |
145 |
') |
146 |
|
147 |
optional_policy(` |
148 |
+ alsa_read_rw_config(mozilla_plugin_t) |
149 |
alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) |
150 |
alsa_read_home_files(mozilla_plugin_t) |
151 |
- alsa_read_rw_config(mozilla_plugin_t) |
152 |
') |
153 |
|
154 |
optional_policy(` |